354300x8000000000000000958915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:44.834{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58243-false10.0.1.12-8000- 23542300x8000000000000000958914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:48.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EADAF8CF0CD4B545E6AAC1A38C1554,SHA256=B428519C3C1E4556C5B24617FEDF89CF2800362757886F17EA65E7C3D22FEDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:48.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F678B86915CB5DDD33B08BF56886362,SHA256=BD05F5DB2C5BC81DAF7E74D8B1A099C9707F8DFE0E1C50B30BEFF7AD56DB9BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:45.782{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000958916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:49.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74CC355AFF287864D9E9F94F2DDE837,SHA256=2D7563EF062925FF4654F37C82032E03EBED1593C71A902F59052D7EB8B6F779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:49.919{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=601EC7FEC46B93ABCC2F9C05B8455FF2,SHA256=94B39E5EF3AC21DC216933DAE9358DDFA85453F71B117340D55A3B1A599E886F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:49.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C4D2D62B2B24F7BF151F8201E3AAA0,SHA256=9278EFABA2BA093E3B9FC8A9947CA5A09D9FC9604FDE6B0616725FD8E74BE250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:50.815{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECEF6CE09514E8187E164ED5AB9B381,SHA256=59AEA712E916F83F42C51011A4B930F64E6EAD491F938C71E7E5A3B93149C961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:50.606{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D156B73A8A1F358F6BD03C4FCB5795,SHA256=37FE0EE09F965FD363E9F83356B4C47D374535105D7A075CBFF55B333A8D0FE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:48.619{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65334-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001022590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:48.297{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49958-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000958918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:51.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE2F559311D627889FBD3C017A9AE31,SHA256=BDD2E5429D1B56AC132746E85A5E3F20F63E9D865DAD71100BAC1DF3B6798D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:51.622{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4846AE78A6407F6CD3AF1B32301A79,SHA256=6A4610B696A9FA1628E48DF8603C00DD3D9209429BC33A9DD8C8D45374C864E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:52.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FBAB63DE49ACA9D732963AAA4672A12,SHA256=475CB35166013863DB758BA72311960D53E8765838D43999D1F8C32DA7FB347E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:52.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=632B97D942E942AA74DE98C886FDA8F2,SHA256=065C9E0796F05D667F32ACA54E8CB07C4CBBA06022BF3CDD0C4D85310BD81947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:52.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9B243B3D183707A700B22BDFC642F0,SHA256=EEE0A6EC1DE84E1ADAF32B405776B38730675A010966AE72A7D9ED1878CBDDC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:52.622{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BBA0275808CC8B3AC0372B3CC79450,SHA256=25EB30F88BE6B1B96CB2EA4E016002F8000F692EE71FB21B2730141BFDAB4638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:53.862{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9698634FBCFACA5375F31EE635480009,SHA256=46D6F7F023A247959868B01A0C42E8653A7B82841E46143AF1C32DBF2AEF3741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:53.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857D6E5532A89BF19EA83373E3F88239,SHA256=58651D8877A2999DEC8E076806CEBBC3C08288ED78DDBBE3246299BB862C1674,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:50.011{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001022595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:51.782{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001022610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-750E-6151-4177-00000000FC01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-750E-6151-4177-00000000FC01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.809{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-750E-6151-4177-00000000FC01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.780{5EBD8912-750E-6151-4177-00000000FC01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:54.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055AE3BA08CC9C522E18833E81973105,SHA256=9BED2A2A978B6F5ED6B73D1693FEC83A0964D224462878EE0DA2F688D508C497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:54.878{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A805E2A3C490A2D366309EA59D0C019,SHA256=EE10F4803A420274050D244FDC5204AB66DCFA7A7EA280B5D52396EB620D1110,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:50.787{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58244-false10.0.1.12-8000- 23542300x80000000000000001022628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.981{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3088F3202F96030CF845F9CD5882FF1E,SHA256=71ED13714FE5B4BED102E401B316EB3563CF4A5669682535E2601941C5C8F57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.981{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C0E65BAEB9D67F533752BE635F3D80B,SHA256=6E4895D056BDD2627E850F2B6D4877B5C50943BFA6B20EA134570C195B6242F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.981{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE34F90799FAE4E089A7C9B334221E65,SHA256=A7A966207BC7BB84972B7CB9140EA1C83BD76030337EFD078D62D8066B863AA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.778{5EBD8912-750F-6151-4277-00000000FC01}25804412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000958928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:55.894{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703737D8B1C2871F668AB876D08ED62F,SHA256=F5E017DCAB7FCD1F009DE84238AC5333BB020C14515A3B15BA61B8EBA507717B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-750F-6151-4277-00000000FC01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-750F-6151-4277-00000000FC01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.497{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-750F-6151-4277-00000000FC01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.482{5EBD8912-750F-6151-4277-00000000FC01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001022611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:55.044{5EBD8912-750E-6151-4177-00000000FC01}12924908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000958927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:55.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FBAB63DE49ACA9D732963AAA4672A12,SHA256=475CB35166013863DB758BA72311960D53E8765838D43999D1F8C32DA7FB347E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:52.614{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001022655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7510-6151-4477-00000000FC01}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.872{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.856{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-7510-6151-4477-00000000FC01}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.856{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7510-6151-4477-00000000FC01}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.857{5EBD8912-7510-6151-4477-00000000FC01}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.809{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC68A56726F59ECE9E57D312F7E7C2D2,SHA256=0305A2D6C9FDF8D8DFA88347953E56C5AEA8A76892EBA2C40BA186896A7B9492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:56.909{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3469BD3697C54798BCAAEDF43614E878,SHA256=9BA129B095318E4197B889AEAFA9734FFE9A2F61234751CF8DAFF53EB745F6A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7510-6151-4377-00000000FC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7510-6151-4377-00000000FC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.184{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7510-6151-4377-00000000FC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:56.170{5EBD8912-7510-6151-4377-00000000FC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:57.825{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F9E8DF4791814F47D76316F10086B0,SHA256=B6AF216C6038B283E369CC31A6E6F6741EF893184ABB6F8F378357793D1E332C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:57.909{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5671C2128128149A3BBACF88FBD54B64,SHA256=1CD9A562804911E890310BA3B31381F0EEDE2143FF670FCB5077359D142F83E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:57.356{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3088F3202F96030CF845F9CD5882FF1E,SHA256=71ED13714FE5B4BED102E401B316EB3563CF4A5669682535E2601941C5C8F57D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:57.013{5EBD8912-7510-6151-4477-00000000FC01}49045032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000958930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:57.519{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=498C38DDEA345CF2B48F2335EF07B611,SHA256=CE6AA3337E6BD0B2D7ED56E3A7600F7F1490467637334053848642A189D5A8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:58.925{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F93F0659E4EF8A9BF66C982584C8FB,SHA256=D400A359274052F68FB42C5F5E31011E4E890813A686C9666E7765F7A23BCC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:59.939{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CFF86F23179D23E2E84034468C8620,SHA256=7B88372AA31A234337623AF3C9395308E00C9FED5FB2C8E8419B51ABAC179B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:59.059{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE2DE26166D7BE6A80BE8060A3A79AF,SHA256=B4B1AA80780D0A3DB0CE269418E278AE311205CA097030DB465C8D0B72F41727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:59.705{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F3932F452ECBBC195811FE0DE91DDF3,SHA256=EFAC1CCDEEDC8FAB521AB91483E5190962E3D61C691B62BD619A2D9FAC0FEC21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:55.714{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com62396-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000958933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:54.803{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57444-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000958939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:00.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543E630522A6047601696FD2E5FA3485,SHA256=B9C83BDE13AF0F7A1389DA1A7C7B8CB12940221A87D50F25AB875461277FA098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:00.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719CCA5E0D6907B15B9F92D7736FD8EF,SHA256=921E234EC24F38DFB1378525515ADDD2147F85F174F1865E2051F90E2D2C1569,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:56.787{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58245-false10.0.1.12-8000- 354300x8000000000000000958937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:38:56.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001022660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:57.798{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000958940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:01.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6433CD4749B8CE681E9B93E4C38E829F,SHA256=63729347F8D588D72B3EFDE04A13822AB24E415F525DCFB4F6348970E955D833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:01.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE76766C2BC4FF80180A52B7F155B58,SHA256=20C5F0AECAA35A59550252933460BE20FB813BE58A0C44E4BB966ACBAFE41944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:02.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEAC58B3217864280202F93505590431,SHA256=1BEE14A6EE829749DD6086EA3CD6DC7B639E51183C2709C6F78C97C17074F403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:02.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CEC52EF0D7D86FF90F4E84B99206F9,SHA256=14EF2C3142651E46F24DB2436B04AE6BF4F1F823D9D761E1C67E4B184E246256,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:38:59.817{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55638-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:02.076{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F156C1746F60AAB18D97C1F1F789D8,SHA256=560F1E577580E702E9DAF56F70750AF9BB90AF3C7F87C6C73A35D681438AFB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:03.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF4E6E9E37ACD9159B951E79B185CEF,SHA256=7274D829824D6B9F74EC78546D909A89776FF07B4A1C2111432413EBAD52A734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:03.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF810428F3710601BB944981349F302,SHA256=729F6A2BE678996E348FCF6113DE8245C6997B6B860A99A1021B711A7628A733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:04.670{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A0CB2128AB97AD67220B82894A54E8,SHA256=9954B2384F5E8D52BF005E44D55F2EA900E8AC762DF0A3A95E333F64C6DC2233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:04.342{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7FA6FC616F5A5C336F926809914F20,SHA256=3AF799099BECFCF5F60EAE182ECA537EF77902571F9B84761E6A7EF169CFFB59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:01.877{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57004-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:05.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80650F6043C11830A5E313561F77628C,SHA256=2B32A59AECC793E391BEF6FCCA481058801ADF2BAFB91A7ADC503065C91628B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:05.001{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02790BDF259979C40F7DEA872406652,SHA256=5AB348DD2D404E059A840B939F2D4CB0AC785C7090C0260F26243CAEC54E0200,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:02.956{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:06.373{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5CFD3B42D40062904B5AE8A2CB01D5,SHA256=D25D592E91F9E37856A8537A743DAF3B7F6AE8E140750C290E7692682A0091FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:02.692{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58246-false10.0.1.12-8000- 23542300x8000000000000000958944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:06.017{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA5FE22D670B8E063A34E6310C519EE,SHA256=3869CC303CEFA2DF7655CB8ECC7363B2996486FFEEFE29D092411D5AFF49837A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:07.376{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5915336C0246F97F329590A6EA6585,SHA256=1AF7E5FF70E9716EE66CF0520F4C36E63D42410E60E8D2C08DDF9D1FC15DF304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:07.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1D29EB3C5E0A78B86813F4A8A08F6E,SHA256=2D930BC1EEBDAE8482EB050AE18306FDE1A7FBC973B7AA15F7BC52C113224CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:08.592{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523DB022A02106100244A92FFEBB5840,SHA256=510D76E7BFB42AF6027C1F55B395D3C9B6F22ED326527E8C5243D74F10761EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:08.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9684757D179182A4D568CCFC3E519287,SHA256=BD23A2F8748E037E21CCA61CF79463AAD1613DB771375BC2FE1B801AE2F3805C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:09.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7B6592A4E9DB460820998E096AE18D,SHA256=5D1F2F8E0428B7957730F8166F1678D74B83FEAA15A6D92A3933B377B0C0C248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:09.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E87E56B93E6E6F5A6B20966F12530B4,SHA256=6B63A6F140333103DA65D359B30A180B88975CE339BA1177D73354EF793B95C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:07.526{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49579-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:09.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E96C4918541991126FF57AA1902272AA,SHA256=07B76F26531338DABFCC765F072A493742DA0DB8B75D610B94F33F50ED47306B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:10.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185DB20DB3C1970EC4AF847459433CB1,SHA256=CA42A7071DAF0A8F0F5994A9200B75DA3802575243E0E9D423F9D6E224470415,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:07.895{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58247-false10.0.1.12-8000- 23542300x8000000000000000958949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:10.080{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86490F7A3FF9F81B85727341C259AAA5,SHA256=3A3E09E787A015B917E7AB8FFB0618C10F7ABA0B4A7F4F562E809C9203A43031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:11.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD36C7B424AEE343897EB4F479E1266B,SHA256=58668F42FA2D318E05B8F50F8F101B0F0CF18ECAA72C62C60C764D54A805C414,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:09.247{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58248-false10.0.1.14-49672- 354300x8000000000000000958955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:09.044{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com58694-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000958954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:11.658{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:11.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12A26E74FAB96103E87BBD60286C374B,SHA256=C064727C47117DECF7A592D9D70B7414CB6F273EF0C19C9F8799B7156460734C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:11.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B796EB5F54070D2652E12DEC668A7350,SHA256=DA19924761EBD7C79FF34401F8307F8EC177519A74FCFD2B62FC44BF6AFB92D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:11.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10689921ADCCF95A7613786B7E910A73,SHA256=DC28432F0A39CAAFEC94D0DF5D17DA18C484D1436783BC328B07982E86DA82DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:08.939{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:12.831{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4217MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:12.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39E214D34DF8570C21FE0CE9881128E,SHA256=A15AE0CEB29EDB58BF7F63206E8B01F468D2806BAD83C68F71EAE5F2620DA478,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:09.759{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62571-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000958957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:12.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF08BAE55CA72C8FCEC3C6D2075E588,SHA256=CA5E7FA0B2930DC0F24EDC1B97DE4CCC2A3A89030D567F25C5906B04204E73EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:10.290{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58248-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001022686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:13.830{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4218MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:13.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222A34DF4581A083ED53D11A456694B9,SHA256=A0C676A9C4349B1065039D95842D37931270DB4DA92CEB3D4DD9373DC016A867,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:10.302{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58249-false10.0.1.12-8089- 23542300x8000000000000000958960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:13.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12A26E74FAB96103E87BBD60286C374B,SHA256=C064727C47117DECF7A592D9D70B7414CB6F273EF0C19C9F8799B7156460734C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:13.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864A5925970A5C40454A90579C2DC731,SHA256=3AD7A26ACDBDBEE3D6ED19FAE9FD3140DBE6BC7C1E2F803492D66C408B48CC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:13.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3758D70568607EF3FAF00D0825DEEF65,SHA256=FC709718F6501DE0E08A700D8C84D18303D31D7C6ED98F1E88B5E7F31A454C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:14.786{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C5F5E4EE04EA6F901EB07B6882765C,SHA256=57DB4681E8D94DB33644638870105C2F61CAE0B34A14271AA53DFAD1B5961344,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:12.345{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000958962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:14.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1C2081EDD80C02DB0A15F0ED5A9D59,SHA256=A0D8F2ACDF0B8A8C330D8BE62ECFE143F9081915E2A13983906D668D0B2FFAFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:11.748{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54266-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:15.786{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD2C11105AC7E4BE5A066937B540221,SHA256=A3C677FFE4B9160BCE602D51538C6676D3523DF8C234971BC31069A854A8B991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:15.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB5717B82825438372440270250A2E7,SHA256=EBC242EBE9EB8BB44FAEB060FE47E09B71160F0390A4FC2A1390C2E674A4A756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:15.583{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F13196282F2CCD141B76BAAF153C0DB,SHA256=723BF2F363BEFF69551C9C02E42D4ACD6BDCC07ED6884F3E0387E2C6DEB09C4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:13.956{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001022689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:13.920{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64464-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000958966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:16.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A5846E1BE4B0B4ED08C08DD80C8C1D0,SHA256=D249B13D80DDDC4889EFECF88EA7D9A52BE03FC62C5D5A508AFE985C13FD3D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:16.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FF595D2DBEE88916FD83F0D311EA53,SHA256=B5B223ADDAB56F5277392D3A3E9A860B2CFD495AD012F3069C51E4C68DE263F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:15.072{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52373-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001022693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:15.072{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52373-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001022695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:17.036{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E6AAD7E7D89C336D7EB91A33516872,SHA256=63D0F696D58975A4697ED1DD89AC607780672DE68DD73A5FCB71A86DF21A4F8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:14.112{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57194-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000958968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:13.895{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58250-false10.0.1.12-8000- 23542300x8000000000000000958967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:17.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A53F09F874B38C7B0D96183B6E6E574,SHA256=A19CD8AD06495F1FA168EB7B163D8A5057BFC0D1192B39FD37BC938C32A78E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:18.255{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2B1B7A693D0F7EC987CD5D7FBAE065,SHA256=6F88440FE6E5A2B4C35D719C61FCACF7D5BE2FF26DC1D4D75ED1987A7E5DA6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:18.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0586B08B3E5E6AA0D7211FD1284072,SHA256=5B575B51B601A32C3776B146C76A95385C4A3A778D66BF6938BFF04AF7163E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:19.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CDEB8FEBB4A669755A84332A37929E,SHA256=5FEBC79B6E9D8A0D5F4796DFE7E5EC79F9CBB17E13C65E5A51A16E7D1DF5D6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:19.255{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDB8B23F1BF14F1A6C949B244ABB63A,SHA256=D4C5351E7969373285B9B2FD1914E97BD06FC806C308375B40549020FE689724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:20.266{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FD33C61691CC21417EA6A8990639D0,SHA256=EF89948366DBC5E739FEA93A3EC068FEE3F233E91B601FAC792EF4E6558A7007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:20.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=398BF45D25125153467D991D180EBB60,SHA256=1230B871FE923553B8F6CA76C6FB7D82B25C8C638C8E52FD56D8A108DCE05B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:20.162{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2DEFB5BC7A370F93E5608498F0BD24,SHA256=163BCEF6616895D113E75EA700EF3CD345CCEDE23B6CBB3F82753E61663E7CC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:18.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000958974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:21.178{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E897BE9F9DA6CB59D82DFB86DAA2D7B,SHA256=4B1F8496265ABAE9624AFF8A6F984E136783940DB8B6E9ADA3573A03522BF15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:21.266{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A4AED80B315FB0B308AAC9CE784E5E,SHA256=8C84C1D9F7449A20A921FF6883579B5FD15F64C1CAF6B25361BB5215A18B31D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:22.281{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0A83058E6AE63BA59A14E505D8E9B2,SHA256=BD52063F755BC83F130B76F04B327894FECCAA67A83EE802772C258A77FC653A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:19.837{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58251-false10.0.1.12-8000- 23542300x8000000000000000958976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:22.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987C79932C71D4EAD5BF236BBA490667,SHA256=A7831D277678EEE34816080AADD2F18A3719BD4E1D33DBC9B7D3F6DD5EFD508B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:23.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554174404D25B2B4738CDF8AC468AB0A,SHA256=23E2F2320F0BB9D7293CBF551282FC22E90250C96997913F982191982FCC964E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:23.875{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A68BE222C521261049BAFB1209510A1,SHA256=D098EB2A103077793CB9B457478A0557ADB6B848C7040711C60B5C809D350D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:23.875{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A97C7927C5320CAEF609F95142B2E652,SHA256=C045F50D52D92CB01C30390F0DBC700AE59026162268BCDC94417C18C8A90D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:23.297{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098668068860D5D682499D42E5CB5ABA,SHA256=BB6D88500CCC143397D62E834948669B21C2DA8AE073A6E33DACA85CA52B7B65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:19.863{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000958981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:21.886{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000958980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:24.631{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A5716A2D394D89E1601EE39EF1DA37,SHA256=8B88877196BF7BC838E8FA57EC7C0171A2FC81AC4DFB6F2756FCB01AD7CFD956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:24.297{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB5CBD735659415C8BB65B72D797809,SHA256=5C45AC139716C74C9F755BCB59EDAB987F66E761A2161C1E44946CAF075BF7E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000958979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:24.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3605F04C4358670377F430AF1373FD4,SHA256=BAFB12928FA840859DA775A638D9FC83995114412ACA3B492D98E3D34FF4C929,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:22.252{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000958983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:25.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B07EF693A030377542DE56CAAA1F97C,SHA256=B0076E4081E5DF217E856027B7443FDE079CFD0677E2C9C3BB325B8DBF9A5501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:25.297{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DE4A59A8EDB0FEB730AC75F277A604,SHA256=9CAE7446690CC765B191A977A23CED06058C122F9DA9B5DC88B6FEAE5A89349B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000958982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:22.660{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com55294-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001022708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:26.312{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD60CB93DBDC9DEB539A881CD2BB8D2,SHA256=F1BF928096DEFC3BB64602C7677F719BF0394C08017BE08E74D855B4DC317744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000958997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.490{69CF5F33-752E-6151-3777-00000000FD01}1001932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-752E-6151-3777-00000000FD01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000958986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-752E-6151-3777-00000000FD01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000958985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.318{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-752E-6151-3777-00000000FD01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000958984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.303{69CF5F33-752E-6151-3777-00000000FD01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000959026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-752F-6151-3977-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-752F-6151-3977-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.599{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.584{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-752F-6151-3977-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.585{69CF5F33-752F-6151-3977-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.537{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=783E74755107517A8360AC4B67B3D41F,SHA256=87CBCD94368E7D1C4ACBC1BDEC61FF0BEC20ED58CBAF6D8EFD806AB4A79A9402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E918BA310197F8B72284424D9A489958,SHA256=2A9F24A81B657C522DB5A7D2372C6A621A16DE31DF205332900A15A1659C66A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.178{69CF5F33-752E-6151-3877-00000000FD01}9961264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001022709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:27.312{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38FE68F0635819003335F3F9F19CF69,SHA256=E1D06F5884518C9004AA75422AA54A5950C2CB7F068FB2EFF7CDAC6A5F2EA8A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-752E-6151-3877-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-752E-6151-3877-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000958999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:27.006{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-752E-6151-3877-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000958998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:26.991{69CF5F33-752E-6151-3877-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:28.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A61472091373B68B9023C6609770ABA,SHA256=B9A8901E2482EBF2812FB719C2D15D0A29E7D5E1B28F1C77BB6899377558760F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.974{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7530-6151-3B77-00000000FD01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.974{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.974{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.974{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.974{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.974{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.974{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.974{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.959{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.959{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-7530-6151-3B77-00000000FD01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.959{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7530-6151-3B77-00000000FD01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.959{69CF5F33-7530-6151-3B77-00000000FD01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.599{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95170C7EF11B99CF9541E65B25F78326,SHA256=21D6B83D699CC7B950B95803D1B4D58C7CFEC28CE66F18BCD4E09272D3136D01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.474{69CF5F33-7530-6151-3A77-00000000FD01}2844012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7530-6151-3A77-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.287{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-7530-6151-3A77-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.271{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7530-6151-3A77-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.273{69CF5F33-7530-6151-3A77-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:28.256{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F605E8A658872E2BAD841F35DEFC4C97,SHA256=B1BC68EA8C6D3D26A845AEF494234201AB22E5D944CC71325225D62CE09C6340,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:24.914{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58252-false10.0.1.12-8000- 354300x80000000000000001022710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:25.770{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000959071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.787{69CF5F33-7531-6151-3C77-00000000FD01}22841312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.662{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7531-6151-3C77-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.662{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.662{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.662{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.662{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.662{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.662{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.646{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-7531-6151-3C77-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.646{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7531-6151-3C77-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.647{69CF5F33-7531-6151-3C77-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:29.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF778D07702B4A09E5A3C548F60D3CA,SHA256=AD762AA3B0C90B3112BD508E6E4A3366FA40A7D4B3D9115A9F81C5C0E770B11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:29.750{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF299E659D0612F2F1DF31780B01306,SHA256=FC642A931EEC6BBCEEBF380AD7E8D65E3922955B6A0E9F983570AD0CD29B6ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:29.750{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A68BE222C521261049BAFB1209510A1,SHA256=D098EB2A103077793CB9B457478A0557ADB6B848C7040711C60B5C809D350D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:29.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1956973D5DA25FC8D75A53538E50C7CD,SHA256=5F2C9FD9CA69A2FAC37BEBA2C4C575DF14C0EBEF11BA3E8629547ACB5F916628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:30.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44744D9073F63A595100F8E60287EF1,SHA256=3B3B02059041962057327F53CBA5FF6CF54F748ECA0E1FEB979C74C0ED031EB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:28.136{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50560-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:30.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8208199AA55FFD4E530FB98919F7A857,SHA256=DC54B3D7B6A3CC2C6347C80EE922FEC6D52BB7E2279029F29D8CC737E4F45F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:30.037{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51EFA481A5DB97705E1840903241BCA9,SHA256=A31507CCE644C1A1A69D9D5930D09D9B6D3D82AAA8209AE3DC6265021E092BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:31.896{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0ED77A2B6E45859A690997AC2BE0B1BB,SHA256=498FB8AF9646B3BA6486158A3F3854DC84518C6DB236B23829A52EFFD282012B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:31.599{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81AF20EB23E92B36998251DA9E9D4A5,SHA256=6E33017AE8E89EAAA097B4FF72688D19CCAF83684A6E554C15ED83D695EBE037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:31.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCA6E9DA10642F9251AB929166DF9FD,SHA256=18C98824D82C39C3ED3B2F965423CE6AC2C8AB2CE80AC714542F1240C6E9DD5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:32.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FBA3C5D6A6BAD2B6168AEEC6ABCFF8,SHA256=A14BB5BA2526957EB4D77861108143E4DA2F91678A1462E3DF2AC7CEA4225BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:32.484{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF299E659D0612F2F1DF31780B01306,SHA256=FC642A931EEC6BBCEEBF380AD7E8D65E3922955B6A0E9F983570AD0CD29B6ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:32.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8CE976827F9BD5BBE4C3DE6AE1942D,SHA256=CC2F1E6A89C93C121FA88657C387B1DA3E4C6E49F5FCDF30D7F9D3CBB3B610D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:30.941{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001022718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:30.868{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58624-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000959078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:30.124{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58797-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:33.006{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB4FE4CB2AA75B42A026A6D47B293199,SHA256=BF85F2D80B4EDCB36678051B928752F8E5C6B637E8D8B5B6A410C2E5819030D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:33.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4DA9E88FE549980322F1F9423574E5,SHA256=3C37C67DD24D87B6001D523CB1BF8DD2112F2524FAB8E2E407BB835BE11C947C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:30.852{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58253-false10.0.1.12-8000- 23542300x8000000000000000959079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:34.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F9282CDA35AD7278171EF887383848,SHA256=5F6447DC00F0BC7B9A3EC1C291F625343E554DAF9E45A7C22AF86F78090672DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:34.547{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:34.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703A5C97693BB0B84F3F80EC3E627D84,SHA256=3A4AFB57B729FF60398119A7BCBD7D198212B4266E986FFDB2EEC734A89A19D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:35.302{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D00C89F685539FD62B0DB39BB1B9E85,SHA256=EAB8E14E2DACD37810C161A88EEBE20C6458340F27C8B2EBBFBBE299CE37AECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:35.375{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8F9AA63ED202807E80426C99E63433,SHA256=9D9B12AFD01EB49F8B3CC6F79087C331D4CF12DA124812C80E61E376534B4587,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:34.546{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61125-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001022728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:34.224{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001022727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:36.375{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968CC5EB2C5CCD20D77BAEEC147EE141,SHA256=5CB8BEAD3EC1B83861EF539481F12AE0A94FA7A965AAC77046A206682FD8C6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:36.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6882A68C1E6FB7E9394357448AA972B8,SHA256=19AF03DAEEFDB53CE0CEF2B27D17BCAAD31F1C56B903595834BEFECA1C3DAEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:36.297{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65D7CDA5723FF3C6F4D730828A0DE89F,SHA256=3EB5CC6CFF72F82695BA23C70B0448B676A4AE0B69446715C6B138D27BE2068E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:37.391{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FBD362B5D05B114A045E591643C935,SHA256=0FD006D341E900AB24D59D6C9F388D51DF37F42DF6F9FE1F213C3CD06FD60723,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:34.637{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57949-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:37.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A44CBA3D4643F39F4107946F2F735E,SHA256=B6A1B92DE3614CCA879787B954E2237ACBAB316954D9B0E394D2E3FA38E96C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:37.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C72F47B921B74DA58C439E69FD86ACED,SHA256=3474495222509995818851AE828D5F64A19B374944BD6CB3A6BAD53DC29664FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:38.562{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CC0A9D7C43565700CC855767B73BA9B1,SHA256=21417C273C2BDD88C703C8BD336BFA5CD10EF9227F3E875FC29EEE0FE381F133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:38.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60709C164848481EA1B9B87238F8302,SHA256=114E5C9F1A7104C258A89A5D72EC57FA7790674CCDEC33D14C20968B9D4D332B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:38.756{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B6BF3843891D7E9A95DE2F6E57EBC2A,SHA256=D5CD5325AEBAD0DEC927EAB44375EDBE0735481D88E13F7C573297C4D70E7A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:38.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16395E02FA2271655FD7C93D387B32A,SHA256=2B8883A4B9FC192DF7599178CB758D31D0A07946F1A3D3823467B10EAD74155E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:36.895{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:39.666{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563EA921BAC2080494EA4D90F7A35819,SHA256=AB992A0E93A6BC799608477DCF132F2BC6D9AB2FA6EFE92098FBB4DC79DDE99F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:36.774{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58254-false10.0.1.12-8000- 354300x8000000000000000959102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:36.182{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com52220-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B086B997FACD9ED1CA2501B96B929093,SHA256=C09E177E657BF6BBC5057D207A5EA4A8F91C4C0296840F013BE27868206892F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-753B-6151-3D77-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-753B-6151-3D77-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.037{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-753B-6151-3D77-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:39.022{69CF5F33-753B-6151-3D77-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:40.885{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBB2E84F88CA9434260B35835F543AC,SHA256=2964997B5700C3A359967E1D2090B6042DB862177E2785E4E21F03B4B441DAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:40.406{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4908389096FD96295CA115DFAD281D99,SHA256=81A502082D1E171446754D38E2204A09D50A00CD5F97298B21BA3434FC3BF537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:40.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6A9A8A53FDE3832D9179E4C01E51698,SHA256=4689E5DB19E8F98307165E99B22537BC749EBC4B11AE1749A218CB35680130AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:38.401{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64056-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:38.282{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-59602-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:41.406{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362F6C20C2CA2037386A947C5C813ACF,SHA256=C255EE3179A6E7238A3DFC9D7E8DB5496DDEE01A766EC9F001D3A4AE778CD45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:41.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0496110BBAFF464AE13FCDE4347EEDD3,SHA256=A4A8D6CFB489327A8B1F28DEADC991407FFDAEDDA56563045BF1394CF09E987C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:42.424{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FC772D19435CCCA1CD4D9A2FEB8DBC,SHA256=35A1E8A13BB78B0FB6241D7F79A984A5DBDF10F949C42B801E84C1335E75DEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:42.119{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4587D514ED37D18D38C1A937C6EDF9C,SHA256=4A5202AD40DD76C96B2DB1F6B6B8F2325125782D7FE0D90A96656BAFFA800432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:43.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0700DB45A4728623D64A8BD139DA58A5,SHA256=008082980BCC0989036E945F69D8BEB6DE8600F2FF426FEEA6B3DBD9DA396429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:43.275{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DF0329A0BE963FDC8FC046EFB9F555,SHA256=FB188E72EE6DE587B5541E3EC2166817BBA2D8874EDD7BC173514BB9638661B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:44.354{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B001A777052F897344757C005905D671,SHA256=97AF90A8AC7A7A3CF2A6EFF57809A615D09F5540B33E96E9C76242AAE9008D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:44.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F26FCE9E7BA5DB2F417D98FA06A4411,SHA256=28C8251BC7245763837068C8A934B1D08B8C1001E4D2C4964F6E3487EDF671F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:45.941{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4218MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:45.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FECB25A9A0A64EA2911FA1AC2542A695,SHA256=99EE9284C2E7FD975BBB6FF022F748938B5D84F6E4B62DCFC456C25CA7D7B25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:45.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C682E1EB70E6B1EC3691937A948D88B,SHA256=AA5D47533AC8622E4ED23947A1DD024E1A55836630F6F3E5F4A1CBD4739310FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7541-6151-4577-00000000FC01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-7541-6151-4577-00000000FC01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.854{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7541-6151-4577-00000000FC01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.839{5EBD8912-7541-6151-4577-00000000FC01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:45.354{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53598E7AB8013770AFAFFCF4D8A67A16,SHA256=C8AEEB44B7DE929E19FA3ABFD8D3EC131999E4E62459C4575ED6DBB4A05B447B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:42.780{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000959119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:46.955{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4219MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:46.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60973D5FF73E6C60EE1AE4EB1B721EC,SHA256=F5DA560D8DF655BF5D583455B53E9EE07EEACA1830115A343DF3A5E6DFA37A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.666{5EBD8912-7542-6151-4677-00000000FC01}3401884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7542-6151-4677-00000000FC01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7542-6151-4677-00000000FC01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.494{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7542-6151-4677-00000000FC01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.480{5EBD8912-7542-6151-4677-00000000FC01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:46.369{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B03736D0603FBC8268D18A46DC8DF4,SHA256=531671D3815916E4CB9040966CCFC3304B7E4D2873F858C35AA0814E4C9D78B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:42.734{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:42.706{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58255-false10.0.1.12-8000- 23542300x80000000000000001022784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.463{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E001A63DEB0F41D3D9227B1AE42F781D,SHA256=1C91005742DE2B43FD62943FA5905C9D223DF37A834444A59FAC36175C835CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:47.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD75C24C8AA28786EFC39F91042DACBF,SHA256=9BF728AC1D499DA3465A9D8F70FBF6949DC2D40A6D261132B37699DA029BBFA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7543-6151-4777-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-7543-6151-4777-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.119{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7543-6151-4777-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.105{5EBD8912-7543-6151-4777-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.072{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A1EF6BC22111178C916423C1DC9BC27,SHA256=70576966497B2D5237F726CA1F55E2B4A144EF299575EB170A3284AFEDC6BD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.072{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E0CD706240DD532F954F54553EED5C7,SHA256=7E51E33732EB11BDAAEBDD9A5F830B045937E19420622DAA762469D7E018A212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:48.682{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31488C4AB3C2150CDF7B01B190738F45,SHA256=A7346D7354C4E4F0F5A8459A0117E86062C1E447A96443C24EA8060251E3F0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:48.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38BAFCF5C2FBE751017123CB46AF896,SHA256=58D9038A114D37AEFDF5CB25E47C1694556364D8BF1DA38BD9D6D8F78D4D4F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:48.338{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A1EF6BC22111178C916423C1DC9BC27,SHA256=70576966497B2D5237F726CA1F55E2B4A144EF299575EB170A3284AFEDC6BD78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:47.889{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:49.682{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF903A7C947AC11AC60DF13B061FD54B,SHA256=8C564F84E8207A6D62D1B6CFFA1C43E4BA9CE94D2CD5825B5DDDE147C60100A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:49.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B0163F91DC72C15852D126B791E77D,SHA256=8E1A31073ECEA8727E940E646D0B9FD57FB6C5B6CFCFADD11657CBF6532190F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:49.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F43CA388EFE95DEAB1D76BD6B0581B,SHA256=9D8B8A3BB5EE430C536B24778E06639570945525B99402A7526DDA77A9F86AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:50.900{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8091F5729AC4B87B48D8F6EBD8DDC88,SHA256=2450621A04C547BDDA8721700E8C722BBE32FCB2AA95ADA3C7C0222BFBF654B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:50.502{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBD8E1FE7EFB9F23E528E3A7E1EF0E3,SHA256=14B5B1146AF473959B4940474DF98564903AEAC25488DAFBF0E2717F4CDBBB56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:48.001{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000959125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:51.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2D158B69243D0E72A4B2033C755742,SHA256=BB6A492A44F8F2AC354505DFF5EC1635A58636E5944B859FF48CC840E998E832,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:47.848{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58256-false10.0.1.12-8000- 23542300x8000000000000000959128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:52.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545F5852678CB00A24648E2171608240,SHA256=CE0D1975757FC2F9C347AAEC99BD33469D12C095FD63EFC9E67BE96770E61606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:52.119{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB151741F37E59F8121C4FF8B8515557,SHA256=3C9E45055C49F4687CFC92FAF960C8E9AB41A61E7CC5721EBC0BCA9428F55068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:52.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE6FCE7022722015EAC248E26B01456F,SHA256=831BBDE3B2D048A0B523CE2B67701B9F7A4CE54D9DAA3654666D1A1E26B77CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:52.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A3915EC9A8ED274A073BCF3E6B72669,SHA256=2F5FBF784FF4FE736754CE69062D3B0700576F1E146132B7D8CA07F812EEB91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:53.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B0159E3B6B0A9A2A5ED8E4D81DA40A,SHA256=43A5C4C8B94C633AC3BC8D08D9D63F69B2BCF5A23E232A19D59DF50AB875136F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:53.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EA6773212950DCCCB801062C1B9E024,SHA256=89C66F0B264FF9C0D49CD885FE1025CE6F154E688835B79934FE1087206D619A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:53.135{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57B40C1C018AC68A195A874EEBE91DD,SHA256=BAEEFE2C12DFA74AD0F6F32FCA3A12103E833B4A2F364A28157E15F65F1C964D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:49.761{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com65175-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:49.705{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com55888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:54.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED77B5E58C9D6245B7FB71A7D6EA23C,SHA256=152C3E71B4F4987B84FBD5EB3BA4EEDEF8D96E522DE9F1216C6D3F579ACB813B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-754A-6151-4877-00000000FC01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-754A-6151-4877-00000000FC01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.791{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-754A-6151-4877-00000000FC01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.776{5EBD8912-754A-6151-4877-00000000FC01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:54.150{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57A639A462DAB81E07FD92A15CF8692,SHA256=E2D98CDB6A98CCE5E5A90A3B73BAB2AC1C88751AEB8815A0A979AC6EF14A8C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:52.004{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55055-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000959133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:55.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B42A0AD498CA982BF8BB9084AA5248F,SHA256=B9055632BC6D74F9F5E02C6F00E845DC41D04A662D8889C82A559101AC019849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.900{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC807194CC41A77717C7D55107969D20,SHA256=F7B14966DBAA3E61FC776B38BEDDA3D59C5EB3262CA2ABDF07C22D69BEC67603,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.557{5EBD8912-754B-6151-4977-00000000FC01}24322536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-754B-6151-4977-00000000FC01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-754B-6151-4977-00000000FC01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.400{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-754B-6151-4977-00000000FC01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.386{5EBD8912-754B-6151-4977-00000000FC01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.166{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0940010FDA75E99B287630C8A03E9DCB,SHA256=A2AD9199D98A1EC59AC7450658DF191B014E26E49C0C580809508168E4186C0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:55.010{5EBD8912-754A-6151-4877-00000000FC01}28724920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000959135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:56.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828FB2617868E50293A8B92D0F260BEF,SHA256=9D4F2D0D80DA0E8C22F90FBBDE828720EE4E7B13B5DDA0046CCE26B9DA9747EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-754C-6151-4B77-00000000FC01}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-754C-6151-4B77-00000000FC01}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.729{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-754C-6151-4B77-00000000FC01}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.714{5EBD8912-754C-6151-4B77-00000000FC01}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001022842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.244{5EBD8912-754C-6151-4A77-00000000FC01}41842756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001022841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:53.764{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A68B63F2ECFB781C246C3C72383AE5,SHA256=D3D011F4A38ABE6D770962257871713565A693AEFEFEB099262960786EC8E952,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:52.880{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58257-false10.0.1.12-8000- 10341000x80000000000000001022839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-754C-6151-4A77-00000000FC01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-754C-6151-4A77-00000000FC01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.041{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-754C-6151-4A77-00000000FC01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:56.011{5EBD8912-754C-6151-4A77-00000000FC01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:57.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B6B915BAEE3F86217D9CCC29A8C46B,SHA256=DE5021E2E5688C9E0764F470B06FC42F6CD33E88664DAB8DB9880A8981FAC70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:57.260{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341AD945E7DC7AEDCDD3845AA7E30B11,SHA256=C049394D96C346BB714276C4171ACD232D559410A386574FD8583026F5ADAC13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:54.504{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:57.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE6FCE7022722015EAC248E26B01456F,SHA256=831BBDE3B2D048A0B523CE2B67701B9F7A4CE54D9DAA3654666D1A1E26B77CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:57.135{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=529CB7CCB043F7F5F3DEA060E1709A82,SHA256=98A66083A64AE19297C881A4D58D16B05C7F72D4013BB1B575E07930C8F64AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:58.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3B2A8775072C6D0C23307E1025ECEC,SHA256=7ADC18C049D52C920422664B9EEA78FD784D39B2C5C493943DE8C3C721D0F944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:58.338{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE11F60C1593F6E9D4D7181E8D146D7B,SHA256=7D74AE02BBCBFBB6F09F5A2494E2420733E32113E25B7455061F3A04D404283F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:59.599{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C3C8D74256585FFE4DDE6D3D16E210,SHA256=BBBD79A4CC9D5961E4F413D7514EE68AAD22F60EEC1CBE5655FCBF9130DB7808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:59.354{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97414301660994377DF619223291AC71,SHA256=DFCBA9B135E5CB3D60AB9B414CE9759A75AC38AE52CBC6FB2CFC511CA1566422,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:58.936{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001022863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:58.037{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59344-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001022862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:39:57.125{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-61138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:00.499{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3F00AC9EEF8AB6CBECA12092B8F28D,SHA256=B7913047C20DDE5EF98D974F2A02C153433D17742059F207DEC544A98193B74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:00.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A6CD825F1923EBFAA87E2CF8B2C39B,SHA256=3908015ADCB669E978F9AAE3FCDFB817A3D9364748EC977A7AE2D267D1B686A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:00.343{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFC9BAE13EAC41C875A90FDBFD42A30,SHA256=1E6B536D4EAC0A5022990057579490AE68DCCF186BDB6352ABF747A1347308CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:01.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F717E595160EC63BB45E30EFB9C207A,SHA256=0F9A429B1B266B2CD17F62BC0D951D7FAE7C479B4871B35C113572A76E550CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:01.561{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9085F183B6444F8517113DD6565B73D0,SHA256=C10073A9A19A37821AC1788FEECC10490E4397C39F4F36BCB544CC70FB1CF334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:01.193{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=368E4ECEE782A343E462C9ED18953A6E,SHA256=964E862E19D380E993ECAE58FFC02C76A975F2A812500E4B7E8C17F51AF4D34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:02.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FEEC5C7326D2E180E83628552DE22F8,SHA256=9CC2E1A747FD36B8DBDB87EE58369F7281FC50281061B306754172156CF0A802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:02.577{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63DABC2FA9ADFF3A34B6D79DFC95086,SHA256=3A5BE29369800F9D6D7F67230B8A78F50769A1C69C14001C7A61959E21A9AB3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:58.773{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58258-false10.0.1.12-8000- 354300x8000000000000000959144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:39:58.494{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001022866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:02.218{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D06D52BB18E60CA92DBDC74B5317DEE,SHA256=046D4A6982F5A3A851880E10897472F0E5B106A9F9985E024F01455C0373F42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:03.577{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB47E91F2AA18CCBB74753C1B061FB9,SHA256=DE9EE5202908476F44603FF37156128E121283E69183C6E822FF6696EEF92730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:03.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE7A0839A1D676EFB14E3CE952E4BB4,SHA256=04BDC188CA5AA8445B4FBE3D97A226E930C786E2E8BDFC65D8171B44B24A443F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:00.635{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60915-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001022868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:00.566{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:04.796{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD704014D596EA95D568584B828A03FB,SHA256=9D443A2920353033EA74F03C50D18235FBE7BDED8DCC43627207D9699BAB7C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:04.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2D4B33F88E48A6DC547D3EB1EE09F4,SHA256=5DF36E4A99ED5372083439C7DD9F61D766F07F796CEEEEC9F834B7B4A609388E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:05.849{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7D2227707E30CBFA6072A5E134036C0,SHA256=ADE264AC87DA8D4C43EA47C0CB96C14DB817148551E4951C323A0E2D30C2C571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:05.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FAAB6D8F235B165DED005342090ACC,SHA256=E0EE7CB17D235C23B63F5BF1735E385898AB10BB1046241A5595EE26CBD1EF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:06.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACD9BE69102E2AF8AF85A70A4B0647D,SHA256=791FEA006211AD7453903FFFA0944CC5FDBCF169FE8E80F7B64595893B1186C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:04.878{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:06.046{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6190C0D2417BA0111C5F9893DBAE292,SHA256=75412A67634E5849D2D422F79B0FEEA522BC942E955B9C1F410DF2AD6924425B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:03.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com62020-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:07.708{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B2BC00609281D6E3C170A6960C7DD7,SHA256=05DC7B77DF50267041F18FB210A40F387D3AABC653C98149ACCBA55E31B5A716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:07.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D55A9895A06CD924AE62F1C75B2565F,SHA256=6E875FCE76D08017B9E535E9D34003B4067E554D96572AAFCA0631FDF8816D5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:07.521{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:07.521{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:07.521{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000959158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:08.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D8EB2FFF706B8D0AEA247C55D42697,SHA256=AFF4E4C8B05B02673AB8C2B68120F7354CB21CDFE93A6EA149419E8E8E4136B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:08.249{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8357F61DCC97C259BC51B5C97B1FA02C,SHA256=B1339285338A89907AAFF187BCC274AB3D94B842F1C584251CE0CD8427D15117,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:04.789{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58259-false10.0.1.12-8000- 23542300x8000000000000000959159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:09.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2302A595AF87A492ABD5C3FEF2489E4,SHA256=D57DA9080079DE82C2CC1BC7A672DD050D34A52D1503EE7974E92A5428F8D999,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:08.230{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51300-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001022880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:08.080{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49185-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001022879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:07.416{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62589-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:09.249{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EC21E4601F219CFA7132411CA52734,SHA256=D37F84B466799ACFB4DF96374BEB27A5B042F0F973CA342E3F26DBAD0EABF65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:09.046{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E255118F6005C2CE8CF3BDD131949927,SHA256=1BF8C66B072E9FB5EB080D0C25A599E0A661F7D97BA9254B7BF4CD27E5715F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:09.046{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ED298A43422F2B8A37B094D6E93FB4F,SHA256=CD50B6A9FA8EF9823DFDAAF5367626D8381A283DC05428DB68D8254DF0A99764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:10.265{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3775C0BDD82398FD6F1E70EC818E8CA,SHA256=DD5B24C6CC136B1BCF54187A566457FC2B0414E3D38EE0E947CBC610B6868302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:11.677{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:08.179{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49924-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:08.030{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:11.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E046BF327C850B477D4131D39944779,SHA256=2B77691DD0D2103B3A6839DB02411F6E37E7E609624B5E3D955CF19EA5B333F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:11.265{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7979958791C05E89060E5415703A39,SHA256=02B91FA7EABFC4E98E07ED40984CA53C2659C6170D010998A4828A32D96F1B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:11.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E028B528B16EBCFC7E6D7AB78566A20E,SHA256=DB1912423F7595CDAED4B4C90BE247F561763280AB9AD57363E483EE2B1A03FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:11.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D16B30FAE0725A946BDAE4521B4170,SHA256=B026CEEE6CEF7F16DC9CA2D0C4A008DD6E975D3A423F18EC3007543F7EF839C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:12.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E132C981E6166F6B70E110DE6AF4A5,SHA256=0D779708500E4FCAD11DAF58AEB54C60BB7DBF2AF0D9DC3C5B95D7781B583796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:12.280{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F58A9966F3E3F1D892E588E9D45E209,SHA256=694B7FE898CC6A8321092F9AA09D14776F4573989B7FE57552F71F8C8EAF01A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:11.047{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51702-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:10.710{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58261-false10.0.1.12-8000- 354300x8000000000000000959168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:10.320{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58260-false10.0.1.12-8089- 23542300x8000000000000000959167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:13.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E24EEEDED50C90C26625547CC043C3,SHA256=E231190A25ED1874FBAF5420169CFA728ED2ED901ADDD9F25FA7B94F1F9DCEF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:10.815{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:13.296{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377A8C845B57825E69CCC3304198BEC5,SHA256=389452A8547328F82717B84B9E6D86CC0081638A87166F6A8C76DAE67441993F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:14.943{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E028B528B16EBCFC7E6D7AB78566A20E,SHA256=DB1912423F7595CDAED4B4C90BE247F561763280AB9AD57363E483EE2B1A03FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:14.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B07B5B0AF6F2C94BC31CB77290E11A4,SHA256=432775620144DB4C23ADCF13498D757D77FA01A40BAD04FE11A5143BC2A3D51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:14.362{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4218MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:14.298{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4042665B703CAE73468CD2908CFACB,SHA256=FF5827608F77CBC290E88999389DD3DBD0A72C50F3CB3CC676D8A891192AD030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:15.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20661A9986623F9095AC74DE00162F8E,SHA256=876C07DA4C506225C20102C12D754A04187B52E3C1D069DDFDE04FE77FDC00B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:15.376{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4219MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:15.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAF9E5BE3C720977ECD9A58BE4BF6FF,SHA256=9D10414E29FD0C4D7821CD0FA29BC77BA4A3D471D8A208403F141541A335AD2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:13.223{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.237unn-212-102-34-237.datapacket.com41854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:16.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3815344B8BC02217B2953256CE70A152,SHA256=94E2085665126BF766CC8E3AFEDC7C9D01185083B1C711A0BFEE2ACBE05CF9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:16.408{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C4196655EBB99490855048DD374694,SHA256=2A31D05C738EE3C0E2F3DCEB27E9504A25A796366ED802DAB3A2A1673BCC6A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:16.408{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E255118F6005C2CE8CF3BDD131949927,SHA256=1BF8C66B072E9FB5EB080D0C25A599E0A661F7D97BA9254B7BF4CD27E5715F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:16.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C012E9BFA982475E19AD77D9AB6CA26,SHA256=115551E990A7783EBE0B66B9FE421CBE7F0EB1E4770E61A6B1F2261E62CCE84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:16.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B49E3F29FBFFD2C55FFE9C6CCC051A4,SHA256=56EB3F59544B9EF542E81C6307C2369128ACE1835ADD09211E67A17E2C763382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:17.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A345D2F873C0F35839F324CDC54422C,SHA256=5AA1C69440532A65583D6F7CAA53AA1649A95D64C0E3F656E308BD33A7958D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:17.424{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02211F8FB7EE7E461B9811C6732E7172,SHA256=AEB208D106CA5AC368A800B7A7662A316214980768E272FC5126A1A90282F7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:15.072{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52385-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001022894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:15.072{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52385-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x8000000000000000959182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:15.851{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58262-false10.0.1.12-8000- 354300x8000000000000000959181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:15.629{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54699-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:15.047{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:18.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C1FA1EA1E0DCCC2226F60BFEF9CC83,SHA256=384C822E2CC374DD0FA9F8958D8AD837022E24ACA5A54BF37BCA6D3E64A1DB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:18.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904317581C9C6AA07B780C717A97F25E,SHA256=381B45E015EBDBA89C9906A02D17DF5B8341EF22CE292B546223B1FFAF3D77AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:18.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C15CA529E8156B032F4AA8AE5AB0CB,SHA256=6B6471479EDD66CC31A0AF888C8A40F3FDAACDFE18B1254338D65234ECCA884B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:16.818{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001022897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:15.500{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53852-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000959184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:16.963{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com58732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:19.836{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29C320CA4723E92786EAB1C66E7D767,SHA256=C46450903EC5ED64BE11573A7424A741908A007AAEE61CFDAFD43049BE6E6B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:19.673{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132097F7DA0B41F2CE970B609C23DA96,SHA256=FEAE10DC392E37D3D0C4225288B1DAA7EAF66CED15DCA1F44FB6083FE1011724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:20.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AB160552DD14A575678952D04114B2,SHA256=94FEA0DAFCC451818C116F826FC5176C3104791D29F328F6645BDED253E89AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:20.705{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D822097D0192CACC2744AA37B34693F,SHA256=AF8934BAA1F610C9CE9375D8DAC217BC5A60465A7DF0AA42C3943AF3DF5EEF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:21.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EC68EEAB6AE614D60AA9EB84C35D94,SHA256=8D1BCBC78F77EEA9D1000C51FE32A4401AF434A7D60A91B7E8C29A0ED50B8DA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:18.574{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com53076-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:21.720{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223516CF99486E7A298E12FDAE909D75,SHA256=62C1CFF6FFA0C645E398801E7567EF13C7E6D7E579A06AA81BE300C3541B1497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:21.126{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C4196655EBB99490855048DD374694,SHA256=2A31D05C738EE3C0E2F3DCEB27E9504A25A796366ED802DAB3A2A1673BCC6A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:22.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF32F32B33706DCE3C8D927875ABE058,SHA256=DEDA68B4904DC18F5F0977728C3F39E5F8D994E2A7764AFA79197157BE338720,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:20.817{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57269-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:22.736{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F70F0995298227D2BAEC550C2A65B4,SHA256=8735A70ECA74E7D26D3471C7D3C69EA72F67CA7769F92486D3C30A41F0DDE631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:22.455{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91DDFD70AB7B8D24C1709105B4EAE66B,SHA256=7A133E7F854225BE25E738BD53651A509752F4AC9F2B8BE0CBC488C43632C5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:23.867{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7833E9DDB3A6D54D42818D3846CD5BAB,SHA256=7F11A5740E08EF1D7A1EC88EE9A3D7F02331D24830CBDB7EA43ACF47B0983E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:23.736{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D157C6E828EF7488C501C113488BC6,SHA256=BF49D4ECFD43EB487F0E6D2267EE36E14937EDDBFE244757F54ACA25BE596765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:24.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391B4AEDD47A85A87D0FB860ABA38947,SHA256=C2B27205D78FA3C79996CA67D4DB824B2C0F5BAF159B20C4EFCF6E6E6F790863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:24.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94A8754560661A68B660150CE27E908,SHA256=51D2670EC3A340C9F1776E6E0CF46B624ADD69C4EA0E3CE7A23ECF0F66433EE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:21.760{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58263-false10.0.1.12-8000- 23542300x8000000000000000959192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:25.914{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BDDFD145502C8B39D2980972ACDFCB,SHA256=18FF88A3FADAFDE30BDD0DE629F465B09B3A11BE0486E03A897ADAE43808989C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:25.767{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623CC72649F968855953C3EB21E16B0D,SHA256=9806CBF7D716E38FD492776A16A330E395873484FF321FDB813B56689BEA0466,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:22.823{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59263-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001022910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:22.740{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:26.767{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C603824942D557D27FA13554E9959F20,SHA256=00D153BE187772FECEFB61CFAC01C1B2F796F5F4A7CD30AFB2D4F3DF7FB5BB99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.492{69CF5F33-756A-6151-3E77-00000000FD01}1081080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-756A-6151-3E77-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-756A-6151-3E77-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.320{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-756A-6151-3E77-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.306{69CF5F33-756A-6151-3E77-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=142FF961D940C53CEF4F1D8AE8220C0D,SHA256=3B3F9C39F3CA7BB8DEC77D3A7BA8096A8E11E71595C03C1072E7D4DF98A0C965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E47AB9383CF3B1A75430FBD4E38EDEE4,SHA256=2E0130BCC58180E1795F8E6A91E1B658B01D7FD3192B0D79AC5DEB3051E5153E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:27.767{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300A3FBA212EC9BCF85B96ADAC271D4F,SHA256=593E1DCE76E18519D12989953AC32E135160F89F256E4BE85CA2FDBE5346480B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-756B-6151-4077-00000000FD01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-756B-6151-4077-00000000FD01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.711{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-756B-6151-4077-00000000FD01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.696{69CF5F33-756B-6151-4077-00000000FD01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=142FF961D940C53CEF4F1D8AE8220C0D,SHA256=3B3F9C39F3CA7BB8DEC77D3A7BA8096A8E11E71595C03C1072E7D4DF98A0C965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.226{69CF5F33-756A-6151-3F77-00000000FD01}4123620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-756A-6151-3F77-00000000FD01}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-756A-6151-3F77-00000000FD01}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.008{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-756A-6151-3F77-00000000FD01}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.993{69CF5F33-756A-6151-3F77-00000000FD01}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:26.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4214B411311D1961B21C564447BDDF18,SHA256=6B4E6DA7F28CDFD183B9AA7AA61BA2587D0C27E90CE680C3CD5EE82F8E6F4F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.726{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF80245D603E3645448E16EBD69CD934,SHA256=1796A0D63B2FD98F18C23661D06893CFF5C5E4EF85AB37762E36AB05876C657C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.554{69CF5F33-756C-6151-4177-00000000FD01}35483172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000959251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FC20F38148A8BB4A714D667B8DC0AD,SHA256=63D7E8A1F6E7324F0EAE5C64BF2E7992E2F6942FC226951E4AA9EEA4A9625774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-756C-6151-4177-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-756C-6151-4177-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.398{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-756C-6151-4177-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.383{69CF5F33-756C-6151-4177-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:28.783{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207AA6D0A5F78669E8CFE705BEEC69FF,SHA256=C4AF62CC71A5AC3976D69FB9F5E631A7D9B190E9990A60B59D52B7B22AAE5F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:29.798{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0731EBF05814ED6DBEB57E491FD781A2,SHA256=6973F530BD6EA6E08063ADB7F033BACA7A983EC869A17203552581F9DB62784D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:29.798{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51FE0E51A93024956953221FAEC1D82B,SHA256=6C217DB2711CB70B520924DF89622C1BA2051C20F6CBF352E7718BE0E7A069F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:29.798{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCA1107AD2F51712080C533E0AD0EC3,SHA256=73D134F28E2331970F2AB28397E7476373493BCDC6ACB45998AEEFF521E28AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556F2A057E80CABE9B87DB6230DB60C1,SHA256=02A6368B6D2AE46126F90ABF0F8165C53F278E6A7BDD076C12AD23608048ECB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.773{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-756D-6151-4377-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.773{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.773{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.773{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.773{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.773{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.773{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.773{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.758{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.758{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.758{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-756D-6151-4377-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.758{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-756D-6151-4377-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.758{69CF5F33-756D-6151-4377-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000959266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-756D-6151-4277-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-756D-6151-4277-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.086{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-756D-6151-4277-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:29.071{69CF5F33-756D-6151-4277-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:30.798{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157C0EA1C01F8F2A5D75C2E91DCA0021,SHA256=7A35E32B88FDDF3FBF99778F43C4DFA7E361A04FC5BEE98BF5532DA891660DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:30.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBF287A04612087FC3E481399F37378,SHA256=B7E96B3689744345250A63FB55377E7989271C74B54918B6618541825E92C89A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:28.189{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51460-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001022918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:27.849{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000959282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:30.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03593709A730DF0233D771EE4FB49B77,SHA256=0791DCA11A21283F978C9F9791D2463F1DE0119C3C17882E6A561131857432A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:30.042{69CF5F33-756D-6151-4377-00000000FD01}36441192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001022924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:31.814{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FECE368B1C215F7C4629B26499B666,SHA256=C126681E0D39BC8D9EF6BDA466A11D0313CCA15D5D8A88F36D83A1BC6DACF5EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:31.898{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C93E3D95B94E2EE6BD3C04F367BD332,SHA256=489F692315F02F5DAF1A0BEF2B964508DAA86EF6A777EC31DC02BB29FD839560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:31.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565CDC8353286001F0C720D7BCE307CB,SHA256=841A4C9871B4B916BAD500D4FDAEA6AEED3975E93C33837ECDBBF83177031EEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:31.033{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:31.033{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:31.033{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000959284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:27.713{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58264-false10.0.1.12-8000- 23542300x8000000000000000959288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:32.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3324DFB17442369BE3A0CB0A48121B3A,SHA256=FD1B041CEA0149FE28733938484ED8D770F6C35285391B7723A0D9EA24314BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:28.226{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62725-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:33.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57430EEC9734F7A9C45F5F340E0255E8,SHA256=8E47437462E306B0100A78CB0B26012B596DD63638FBCA46D116EF3E287D64C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:33.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23B12B72AFB3984BD7AF35AA09209E2D,SHA256=2CEA11BA99905580114BF191A316CDCF3B8E1A83AEB8D961FE98597BE43E9BC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:30.539{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com55888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001022926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:33.767{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0731EBF05814ED6DBEB57E491FD781A2,SHA256=6973F530BD6EA6E08063ADB7F033BACA7A983EC869A17203552581F9DB62784D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:33.064{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77BE29D9DFBEFFDA786DEB2C998DEBF,SHA256=D66479C0F03C2901CE7FEA9909460ECA7F361E430807BDF079B9322CF18A454F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:32.149{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55927-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001022928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:34.564{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:34.283{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642DD243D0F9D7590189C092A8848B05,SHA256=7B9F7A796D0F9CBD13E24C5F6A1F408C70794E63AA3CB16A95274EA595335E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:35.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8093EAF9F866A8D9EA4C83565CD2E287,SHA256=D883E47202276C1EFBDC8614D8E550857C49C78BC77BE0393200CF5D38299FAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:33.755{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:35.314{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BE4823D95D4FCE2030C9745D0F91B4,SHA256=1D55805BB00555512D46F4D57BB22BF810C39E6309C0CDFA3FDDC496DD86933C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:32.806{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58265-false10.0.1.12-8000- 23542300x8000000000000000959293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:36.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648AED01DEC931F308AFFB01DCC6C11F,SHA256=8FFDB38FD7716939E8E174DCBB9E7DC223FB7FC09A8104C1F3F581E758C3730B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:34.240{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001022932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:36.470{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE5F73B1C7693DD579D4793B72443BB,SHA256=EE74650E91E35678256BC0AEAEBEF235A5C3D4C61EA65D1D71D1F8FA70614CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:37.586{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1301C6C85AD402EC91D6EC3B9336447,SHA256=448C99E80F6C408A5CA3E5752061235488D694E75D1A3CE2C6A0DD58EC71A9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:37.501{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E569F0DD86A665A5542D2BA9AE347D,SHA256=3359075C8042AC13B28C34E38643BB5D56AF76DA963CD6F67622E52A82F0619A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:37.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6F63526D516FB84AEBE08B3164FF75E,SHA256=DEAA15E7D44AE6615B81A3165FEF0FF72B0AA208D674D9E859134263F4358527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7576-6151-4477-00000000FD01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-7576-6151-4477-00000000FD01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.992{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7576-6151-4477-00000000FD01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.977{69CF5F33-7576-6151-4477-00000000FD01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7E78C3DDC4BFC3108741D6BF7D31F0,SHA256=11E59A956074547A565728828409A608147238BC69EF25F1921FB313488D055B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:38.564{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=70225DF262666C139DC39AC163DFA4B0,SHA256=13F4BF6702BBCF7C20423A79C0A1BFA55283D90A8A64290DBE9C201DC7E8BAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:38.501{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37649494D271ADCF5F573E28BEDE4C35,SHA256=1E6D12E75405D92A66080E8A0F07919736EAB0E704FD0C5D040442D1D67970E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:34.633{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58803-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001022956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.626{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.626{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.626{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.626{5EBD8912-7F2D-614D-0B00-00000000FC01}6242836C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001022952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001022943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB9EE9052320050DEA4D5AA138311B4,SHA256=6B056AF129BAD9B4341619BA8CA18B13CFDB0A6FF6C533F847EFA94077FE264F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.516{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001022962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.214{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52392-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001022961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.214{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52392-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001022960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:38.850{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001022959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:40.626{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80EEABC4E32C43460B71EB055CAAF12,SHA256=8F4472D76D27189628297F04A8D80DD5793DA577A7CB5E5EEC7EDC3D65390CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:40.517{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A81A8928A6CCC0799DAF4C9F7284C0D,SHA256=AFA479CD84607F08CA31DFE918677C179A22A86FE8CF9A5B88E06286A7D36455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:40.517{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C29134B2AAB524CEA434B77BD1A0034,SHA256=4E3AD2B0A83505B27ECDE600CB190E77DFD24180060FB6860EE76F5987C4115F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:40.038{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53190A4F002BB5D6A795C7B692B15269,SHA256=9BB9BD8DC8D42C176804AF1B4CC3929271CF102DD932E639F92DA6189F313228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:40.038{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C37217DABBF9E0761A3D390222151A29,SHA256=5395A056F898A580E80C3C803200FCF1E45A8C01F97945859049EBD9E9C23233,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001022967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.321{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52394-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001022966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.321{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52394-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001022965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.227{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local52393-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001022964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:39.227{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52393-false10.0.1.14win-dc-429.attackrange.local389ldap 23542300x80000000000000001022963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:41.532{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E410E7902C49626BBF10E62379B11AFA,SHA256=05F19F83DBFFC888D5799EE8377B2F680104B94C9F9BB8A52C59D98CC9126850,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.728{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58266-false10.0.1.12-8000- 354300x8000000000000000959316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:38.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:41.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984AB1FC34F136C5A27CE39828FC981C,SHA256=2CFFE4531634500064B94BD68506D0A2382D02061105E9FF950F0C583DB84A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:41.054{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9174D81F59F7FB81186AB514AF25994B,SHA256=5280FDF18780B1DD8EAE736058C2C825EE89DEDF6A8333EB5B9291E6EBBB6B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:42.532{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDD59D412142AA557EE1990CF032C40,SHA256=DFBAF4F155635BBE9543BB7221AE245C6DB782C4B0B9F73A8CA662916993BD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:42.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F0AF9AD0261F0FED75F8878578C1C5,SHA256=5F6E27107DE3E4565539400FF044359268F42F4CD953B2A19C697EAD1A3AA923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:43.548{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F02ACA3D83CD86CA06FCC3F240D7CC,SHA256=CD7B28444D6D5A82DA5F3A649F45CB0FCC3D2A6E1B6B982169DB9B3812612EB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:40.842{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-62474-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:43.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42D968163CFE899C4C13F9912B9DE290,SHA256=E93E01FB6475648FD639A24434D6B97FDB3D597261D00EFF1ED5FCBEFC8FE482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:43.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0927A2260CEB6383752E7D58A3B808,SHA256=7BA04B1C117885A134C25F39484AC1582BC0C6CAE01F51EB39679AE1E10059D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:44.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA777005F7450C0979D5905333F7C653,SHA256=C764EBEEA0E8E9811676C96900F0645C0946154941777ECE8561335028AC2AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:44.101{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD9BCF4A3234BA5153DB895ACD9C470,SHA256=348ED253C617923C0D849B4D88793D05C370514F035CF738F5D5C70D53442DB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.891{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-757D-6151-4C77-00000000FC01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-757D-6151-4C77-00000000FC01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.876{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-757D-6151-4C77-00000000FC01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.861{5EBD8912-757D-6151-4C77-00000000FC01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001022971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.845{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1ED2690B0A06F7B353037B7058D45A,SHA256=0F4775A90626FB6B3AA4889DE6EA58FD13DE88869D1BC1592840000B58F6E34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:45.116{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67FEF3B8AF24B9AC3A6E85933EC056C,SHA256=C2E1672B6540D7D763603A328FA76D2D9EA18F61DB28F13569DEA3BFF2EB90F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001022998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-757E-6151-4D77-00000000FC01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-757E-6151-4D77-00000000FC01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001022987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.579{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-757E-6151-4D77-00000000FC01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001022986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.548{5EBD8912-757E-6151-4D77-00000000FC01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001022985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:46.063{5EBD8912-757D-6151-4C77-00000000FC01}17484808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000959324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:46.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCECA3CE55ABF4A5B357E5DAB54C80A,SHA256=0306F7DE97BBE7862622574DE3F7ED65A94F38F6BFAADCA643757BAC2279E6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.485{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E79C3C63F0B7C4962ADE9CE76B9ACDA,SHA256=557FA4B853460DED52FB9157112CE860656EF1A26AD196237118C0974DAA5AD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:45.669{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56557-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:44.770{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001023013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.282{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-757F-6151-4E77-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.282{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.282{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.282{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.282{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.282{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-757F-6151-4E77-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.282{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.266{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.266{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.266{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.266{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.266{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-757F-6151-4E77-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.252{5EBD8912-757F-6151-4E77-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:47.647{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D96DF57098DF681149DD7E40E63BC2E7,SHA256=92BDC74ECDD65D42AF846BB46045B2BE84A19E5228514DDFA5F34BBC5754427F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:47.480{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4219MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:43.884{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58267-false10.0.1.12-8000- 23542300x8000000000000000959325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:47.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762A510B16A27B5AEDE53CC9BA268888,SHA256=134C55551DA1F2DA366DCB5C94E4204BA1E65D5163CA7061C142E554BE6DF16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.001{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74382C8718363502D52F3B48690BCDD4,SHA256=B9C45B509CC102534E857D31986F51F9C27B579ECB17BCDD1D15D8F52186B5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001022999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:47.001{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A81A8928A6CCC0799DAF4C9F7284C0D,SHA256=AFA479CD84607F08CA31DFE918677C179A22A86FE8CF9A5B88E06286A7D36455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:48.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860E43E7148A19878D4D04FC1A486A0B,SHA256=1F18C6030B1474713608BF29BD9A746AC947CE5A1858F944ACB99046CBD86181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:48.492{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4220MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:45.072{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com52790-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:48.147{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F551E4D4E96F69BE3C5E0F459AA5C3,SHA256=7DB69ACC4F1068BEB8A93588B40631AE76D2DC99451618AE8D8A05C55AE75706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:48.251{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74382C8718363502D52F3B48690BCDD4,SHA256=B9C45B509CC102534E857D31986F51F9C27B579ECB17BCDD1D15D8F52186B5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:49.829{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992039684CEF02AD7F1A9ABC43FCAB1F,SHA256=6DE5F6E5AC89D75A193000054ECDE2A71E932309199858B9FF7E5A89AFEB7286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:49.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7338A09CCEE4687C45A7FC7C4F6A01,SHA256=74F733263746AEB77234EC8CD1108E26FF34E53F6413764C964781C1B435C758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:49.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3712438AE37925F692BA97E9C45F7857,SHA256=DA9FF9302A0D07B12F91D82C31670B3F50E28C76511072436438CC044C5F64DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:45.910{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63672-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:49.148{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDB44B3A8D2017A76F4C668F6986194,SHA256=1CBD8971B3352C1B667F69C8913ACC739C3B90781A8F1FCB7D1CAD04E70C3A3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:48.213{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52502-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:50.595{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFCB7E6DB760D6EF6E95456C07B19A2,SHA256=AD4943E0E3571AC7A4BA9929014903FCC178D0DBCFB5098A7FECB6C7ED9FF86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:50.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989E58C34C11BB0B5141C0C45D8E6911,SHA256=E6444291C4F7BB337028ED32D331CC77737749E0E65545C89F104CE43E28652F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:51.595{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41F713E8F4B61D123DCC5CC0D1F272F,SHA256=DE50BFF764355C2B759ED601BA1C84D6DD47FBC9FD023D19CBA2336388B78495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:51.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09720F12163FB83EBE19BF061360B0C,SHA256=40F5D5E551E852426F21B221A95F9BBA5394BDD02B0E5E9158C2DCE27F5B6183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:51.579{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A28E3F42AB4FEB54BAA11F7DEE3BBCD4,SHA256=F15A2E6C3E9B4F74F01D8C735C0052BCEF446FDA0627FD3F639116F043B05274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:52.813{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5E3846A81A8CECD9AD4F911C9E4B8F,SHA256=98CAB7837EFFD1E86AF936DB7091EF821FC37502653C389425B1892681844560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:52.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E48C93F0CA6A140F2AF1B79AE9BBD,SHA256=C8C71066DB49E6395D36B3BC9E7373C9417FB7FDCBECA304BE50D56B191D2D9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:50.755{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000959339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:49.853{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58268-false10.0.1.12-8000- 23542300x8000000000000000959338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:53.211{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8150885BD360C55D90B99C682C3F84E,SHA256=3F93E792285483069D56AC0465E40D446FBCFD66D39CB78D4E50F6D26DA591EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7586-6151-4F77-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-7586-6151-4F77-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.798{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7586-6151-4F77-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.783{5EBD8912-7586-6151-4F77-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001023030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 07:40:54.063{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001023029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 07:40:54.063{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001023028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 07:40:54.063{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001023027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:54.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5916FCFBC070266045C2943BD4640956,SHA256=B697E9CE7E98889EFD766E4584CCA81141B742BD1401FDC0D535E7E1EBE7C4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:54.211{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA482DF1FC900F815DD58497B78D05DD,SHA256=1C5D5422433D52EA040C69CE0CFBD599DBAAA5516B9E1C8AED1B80F6778E9AC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:53.858{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61671-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:53.776{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52399-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001023065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:53.776{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52399-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001023064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:53.765{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52398-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001023063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:53.765{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52398-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001023062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:53.741{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52397-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001023061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:53.741{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52397-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 10341000x80000000000000001023060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.704{5EBD8912-7587-6151-5077-00000000FC01}4156508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7587-6151-5077-00000000FC01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7587-6151-5077-00000000FC01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.485{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7587-6151-5077-00000000FC01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.470{5EBD8912-7587-6151-5077-00000000FC01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.095{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94477DEB252BC666F67D2248C346A069,SHA256=9AD346FDAF75FFBA914FC07ED1B989DE31310C988A985BBB1F0FA5505894D4F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:55.226{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF4140B7100B2DF0BD2D3964F2C42AD,SHA256=1D1A3F8D9959DC6CB232CBDAF149A4D84819B3D800BFA65AA3F34D292DDBED46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.063{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CC3C34CD27272B2586F86089F98C587,SHA256=29DDC6A039F123E83F6C42D0184A53BDAC0C22FF4371BF2222BEF72455CA0CA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:55.016{5EBD8912-7586-6151-4F77-00000000FC01}29882564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.891{5EBD8912-7588-6151-5277-00000000FC01}49482560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7588-6151-5277-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7588-6151-5277-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.720{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7588-6151-5277-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.707{5EBD8912-7588-6151-5277-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C1CBEAE4F34032311467F3D65C42C6,SHA256=85A017EA08DCEBF75513FB97AFAF37EC831AFE5F539D9635354AE4FC4A631B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED229206F62A4CB5DB9B7C4B56FD9F11,SHA256=B186CC93E0207CFD5FE299BA2091B44811B6F9983333A3BE7882C6DA33C8CE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:53.459{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:56.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3697AB5CB0156FDA36E07A5D24567709,SHA256=058C671D36EEE1BADA0210C8706942E6CAEDB96C6B617E97534942B5703E04D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:56.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34DAA394364BF8E979E18A153A827531,SHA256=9C29A876DAABE15B0EC217C9F7E3CF4B135662E9FFEBE8A8D6117062771FCB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:56.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275B643FD354ACFD77EF684351569485,SHA256=AB23B2D2B528ACD2B02E62A24D04E37E54D8C9359B86E2C75FDA2ADBF5BA84A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7588-6151-5177-00000000FC01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7588-6151-5177-00000000FC01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.173{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7588-6151-5177-00000000FC01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.158{5EBD8912-7588-6151-5177-00000000FC01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:57.735{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9658814C321D459A346944CE85E10AF,SHA256=585F9E1C75C9F5F8D14083EB29E54909AECAAE409380174AAECED24623969253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:57.735{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58193904813BE14DFAFA0843A5B595A6,SHA256=CB014DBF3C44F6E8C0108FDE8DAE1E60F20EA7711951BAE699779D2C56B6F11A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:54.742{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:57.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3697AB5CB0156FDA36E07A5D24567709,SHA256=058C671D36EEE1BADA0210C8706942E6CAEDB96C6B617E97534942B5703E04D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:57.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0CECD6A32194BA7B7B82592B1E30FE,SHA256=CC9E7D332A981C5FE4F6FE0E303F84218AF9D7CCDE4F0E458EFEF916365805CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:58.954{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464AEACA2DFD9A008B4CE3B0F9EABCF1,SHA256=55C49524D82EC69372C03C063B30637BF112DDF31988BAFB8C39AEF41C166350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:58.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E682E307A3EA61BA91C7A1E880934D,SHA256=D4EB21CFE9F276A9DF46E0CE1CC7072D2A32A05B7BF17A53F5B9518DECBC2FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:59.955{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA881157E1A1B45B6B27506F38D6151,SHA256=F33A1F39736F3D41B8ED5FC6EEC11CA2B0CD1734D80A5394C7D13F3C41B9F2D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:55.806{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58269-false10.0.1.12-8000- 23542300x8000000000000000959350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:59.289{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2196F09B305334134B2A09D4E80D78,SHA256=767837CD2708612921144FA8DC704BA2D4718ECCCDA070A8049C291826E78A1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.724{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001023101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:56.516{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63325-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:59.251{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FC296745080345E633807DB609155B1,SHA256=370E1237145E9886F506C9515B6D91AC4825A62DE48C5AFEF5F7116D8F54C6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:00.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EDDF9BF0C986709D823AEA0DDC0A87,SHA256=5E73DD3B96C9F5983CD5174555A5116DF59E0316D5EFA7369BB4211C41DEE3FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:40:58.792{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com49426-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:01.368{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=905DD0D50270E0A21EEA85AD2D334B3F,SHA256=7A34C43BA65136EF09782386740BEC04C9FF668F5A8858FD8AA1E99B142D0069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:01.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFD2D45362EC9C63A840A4301158AE6,SHA256=DFB6305039052D9A49F0A19636689740B5FC0AC19E8D607B7D8CCE9030F36522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:01.924{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545682D3F59D667EA90EF9128320482C,SHA256=36F8DC564DC76D3DF8D3654FA14246F4109B47BE1DEFD2909D7AA32808BABCC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:40:59.664{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65152-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:01.096{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB4FFBD8338ABF1A44A35A24FEEDD3F,SHA256=AC6F38C4219594B3A2A0AE9996FADC9C9B4979CE3C2BE842AF80ABB18962E47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:02.321{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF2FA8391A1804408E8D84930F81AC6,SHA256=BD9FAE196E5ED597DA1ADD0AD30B47B7A0CA72B70D1D234D361199265E87BF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:02.096{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44681EA6984C9481713163C631EF2614,SHA256=136BCA896DA9582E7BF97876A66C3D2CD7FD9E958A1AEBF2AB8DF736A59E8718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:03.571{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF1C92657D67C92A6B3585E272F505C,SHA256=62C52A5820B7177836434DDF2C38ABE5378EA9BB2CCFFBDA5AFA471AE2EA2621,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:00.792{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:03.112{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319FB92DDF28CE1266A3762128268294,SHA256=18E0F070AB8E1E364646DE2C88964DB0A0476F56A43B52224F334CB1CE773422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:04.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66AB01DD37D840DA37C81A57B240043,SHA256=245D1BD0C769F9F7B50DAB12600643275A42ECFD70D03A6ED5119AFEE5CC24EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:01.866{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:04.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE925F4F8FA82A56ABA62D9386C59D58,SHA256=84F37334FA572999A80FAF73FCC0351D47BE9B7157D1EE04D23591473D823C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:04.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38AD77A028449BB4C73F7313CE90B781,SHA256=6A29397CD2B705C8376CF2824DCBC5D72C889FE948F039C88C1FDC97FEE8F0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:05.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141FC66E9B224844F3BADB49CC11B802,SHA256=E84C2918E767777DB09A679D3674FED3AF31CDD9F09F17D285104D5170005558,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:01.907{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50880-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:01.698{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58270-false10.0.1.12-8000- 23542300x80000000000000001023113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:06.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE08034749937E492A6C24088084018,SHA256=9F4559BE9E489050996A6630EBDEC4C7443386B332F91E5D73B05FFDD5A1D4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:06.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C44B5A83B67C91691AADF9D64752A59,SHA256=C2697CBA78E56FA003DEDF1D73B365EBBC9AEBE5F50FBC9B61E1E7E16AD79A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:07.830{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D2FE8884359C43E8B7784552ECB1BF6,SHA256=EB115CE6C230B6FA2E3D6A866518CBBCCEA438FE2ADBD9B0BEEDA9C6FBC73DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:07.830{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C7FACE88E4D0BF444B771C17138A705,SHA256=969A3A8814738A04CC0FA53F48EE2ED7591355B64166D4FE4F755C7650CB42AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:07.362{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D29003CE03950A330EA373C824FE166,SHA256=D5D741736E7700D2BC3568FCA1A54F39582A13973722A8C61A107FF023D41A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:07.259{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE34AC77D7177EE65BD24E061526F050,SHA256=E6F5BBD6A87B830E3F61E42B63738AB08D4F7C638EC9D0C25A5070762D66FC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:08.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663C6023FB93760CAE13E610962A0868,SHA256=558447BB7293FF5C6ECEEB052B9170CE1BC44D8DFCF4235D82C501134A416AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:08.368{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F480C8D110265D0651CB6A849DB6D1,SHA256=CD6A878649F4E4B73E8F7EA6744FD21D43201D3AFF2518517D4F846A1F5F8881,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:06.215{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52979-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000959366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:09.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF95E950DD94482F918DE0B949BB1275,SHA256=B74076567A4F1935AB30BA9AABF5A6A524D650CBB413E83D8810CF33BA321CD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:07.819{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:09.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A53B2DD4D5B2C191E09B850DCEF9524,SHA256=87CA649C546C28C87D2D870475557B6A6C0024B6B34EE99B0EE1E2CC81A907E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:06.460{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53825-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:10.737{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC744A292214328ACE0D797832D5E97,SHA256=181FBD35972FD41392F0AF988D2692DD6BDFCCE192F0A5714FB12E3823C04D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:10.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE6F4A84766F0B99229FCA0DE8A7576B,SHA256=984D805EDC91B17B9AED60D7CE3DF44CC8A80BF4C2965B734478AAF5D73C977C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:10.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F011DBEDDF1653D8BB17A2DC5BB2FA83,SHA256=38C4B5B9DF32554DC80A496439A6F1D751430719BE84735E37A15933AACEFC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:10.415{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237D19D71B15381666B31368C722A9AD,SHA256=31F0918F5921F025C7BFA4C0193B69A89B1673B5702218F081C9F59A69AB5ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:06.870{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58271-false10.0.1.12-8000- 23542300x80000000000000001023121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:10.096{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D2FE8884359C43E8B7784552ECB1BF6,SHA256=EB115CE6C230B6FA2E3D6A866518CBBCCEA438FE2ADBD9B0BEEDA9C6FBC73DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:11.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957D47075CED87951271FD6000D0FD83,SHA256=9D3471C82AC517C157A1B20FB9F6896BCD3115C6DEB4B4135F54500C032A7777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:11.696{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:11.415{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0FA650C496890D3E3B92CD9421F491,SHA256=C8C74500FEA4653EFB6B9F636CFC061EA9C68F4B1A38FF61A6889AD1C5FB2F43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:08.460{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:12.768{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E080371A48316CEDCB50A81A091EB63B,SHA256=97FD7C6BF0EFFB3E988A9A17FCCBA7FECEF4BB430C80A689ACB5DC23247A2CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:12.431{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE5F21482999F8C50E419691DC48E92,SHA256=68E43B8206A7B1E771F3902DE63524570C1EFB249A2844DDEE81D5D5E72A06A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:08.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55025-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:13.768{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06E78F88089D34ADAAB08E3CB1C3A39,SHA256=F053A40A91AFE40D3A3EEDCB93771BEA760C19BAA4B6B82CC3C34CB6FDB359C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:13.431{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F281F2E167EFDA79D1C2B09E95DEB3,SHA256=7E17FAC9D47747AC03CDD00E1EADCC42B8B0E05D9366C37002A2CDE3185ECF4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:11.915{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56558-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:13.565{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C082EA6FCECEB87D210BF2B88C46761,SHA256=7020810DC91315D3C0E28FB292D61658B1D94ACE245C43A2392D47D4F29C3433,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:10.339{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58272-false10.0.1.12-8089- 354300x8000000000000000959376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:09.821{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:13.197{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE6F4A84766F0B99229FCA0DE8A7576B,SHA256=984D805EDC91B17B9AED60D7CE3DF44CC8A80BF4C2965B734478AAF5D73C977C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:14.649{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301EE71B70CE34E22A54666AF2F69C05,SHA256=2E1CA4A1218AD7E02F37D55F11DE4666F96491FC8F5DA360AD7441AC70B5DCB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:15.696{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C929690D5A19AD8C27BAFA1C932B110,SHA256=5821DAD79342EA5516300CA553300711CCDD8C134BC755F7781D312AA2C606DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:15.898{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4219MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:12.913{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:15.002{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7545DE811C70DD6E78E97EB6A1E3AEFD,SHA256=5121A0EAA101F106B387F8FB8D641CD11562D793211A4FFD671E5F1A2298EAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:15.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45B33970BDA14DAAAEC7B43DC56A4410,SHA256=667DA724E9B004AEA30B5202A155CDBA4F7CBC5C47048BC287CA2ABB2E8361A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:16.821{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00600E14A78B2920243437B0C38CA157,SHA256=DE72E862C61EDF1E74FD0A7E0DA999133885377D203F1F69A99D5040628E95CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:16.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AC0C71DCD1008067A075D48FE57621,SHA256=FA856DBE68A1F23E69CBA98014CEA4B463817F2EE2A3B383154E7B945E9A5E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:16.897{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4220MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:16.630{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94D63B7BCF72532527EDB3E8609928A6,SHA256=2E2E8BFFF641E828644245BE7794C21977134BAE3E92F120C62EFA062884DC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:16.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55B8BD5FE94FCD6F46D88AC037D1CFA,SHA256=46A794FA6F8BD781AC6EE09FE6C5F486D2D239886A2B69799B478CB5D8F71CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:12.807{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58273-false10.0.1.12-8000- 354300x8000000000000000959382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:12.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com62687-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:17.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35A6E77A9FF74D3CD5107A38F59CC06,SHA256=ADEE7891722F84590CA59A9A25C303B63301E82C75BBE035DF12691B44167EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:17.270{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFB0170C59D18F0209F9AC79D96D291,SHA256=735ED35D8EFFABF1A2B0214D14397010F2CB4858A58096DE5AD03CA7DB171F04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:13.905{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58461-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001023136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:15.085{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52404-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001023135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:15.085{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52404-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x8000000000000000959389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:18.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC1AF2EE4775797F3A34F4C1F8B0AA3,SHA256=7B756450C8340BA0EE709DC31C629D4D179DE6F67C47250D445202524D4D5CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:18.384{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544BAB439E36895B363F8A43C33C775A,SHA256=6785E6E31A2E1C641F7F62C9E8E9F51EE1589F5E0ADD175F19F7C8C25D832FFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:15.061{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:19.615{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF84AC857099A8A35372C82BEDE239C5,SHA256=A91CE1F264BF192F3B91C89AE43359F52CDD967F936D5BDD58021AA845754AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:20.709{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9158510A03075A298BDBD6F37B3FD6,SHA256=F9B4DAD7661C82440EBDCC56B90A90B14DA3E456C44636B4EAAACFFECBFCD56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:20.184{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA2C0D612A3335F0BD8124869AD28A8,SHA256=4B41B968A1B6A588BD8F4FA964EAF233945867D720F6014BAF7DC04F94F8F3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:21.740{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395F0F46C18395A9876412CC1B90988B,SHA256=1BA0B6376C80177FC24EC1C8CEBE475CA9C7AAFF0D1C064934E242519AE6016D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:21.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6FEBA3072D92BDFAEC523EA8787C1D,SHA256=0FBA7A0683D6CDFA1E2656FBFDC0D132C9C63CEF55F96EF820A54B162DE02FF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:18.779{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000959392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:18.391{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62069-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:21.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7F71B3A5ACF04B54CEBED5196C1E52,SHA256=A35B091428DFEA5F12044301A478D6CC18B54D95704B15221077078FED1C46CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:22.803{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76148191B3EB966081C3B58B06E52A2,SHA256=BC3878AC8E8FA3E9355A4BFBCBB503C338D5C703466A556E35DFB6C8C40BB3BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:18.811{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58274-false10.0.1.12-8000- 23542300x8000000000000000959394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:22.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA490F9266333187A34F406BBD7B85F2,SHA256=E3AA3293CFFD2E47F87D532C1AD7604A35F70EC7B0FC92EC632D4366FE9A99B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:23.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A681BF28C8B526B15DA8171733203B68,SHA256=521256ABE7149A34089112C9CC757661CE8D0AAC0EE0290075282467BD796B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:24.575{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7066DA2BB04FE3FE1C94D8AEFD984E1,SHA256=FBACCBB0C399AA7AFE2BF851B17E16C174FA7F634D9C465E41AE9065C6E1A950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:24.037{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFB2DB709C28B207A536C33E9C8F331,SHA256=718E62910C95D5EAC3F74FDD441CB37577782E3EEE7708DD023C764B5AB5C363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:25.590{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE1EB4E01FE4C1124BA595535392D49,SHA256=F8A24FE336CF4A55030B5D98592D59C9338BF182934DFC782E760AD9F05885DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:25.272{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E444B2E262A852BDEDD3E5AD7B8B8859,SHA256=9F70BF2ED753EC417710E73015DF81A0F87FB2D26AB9E9E9149323DFBC04096F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.809{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837955D2F90286D8124289FCFEC2F268,SHA256=C9A9F5B7EBE5B193A6CFD9653FEEBDE6F8972DE5AB298588EFD04257E747416A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:24.729{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:26.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0BECB394B3F1687294FC8A102DA790,SHA256=03850E4FC6583B590CC67886BF8B205817C9B9844C5593318C313EBDC9093C14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.481{69CF5F33-75A6-6151-4577-00000000FD01}23201096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75A6-6151-4577-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-75A6-6151-4577-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.325{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75A6-6151-4577-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.310{69CF5F33-75A6-6151-4577-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:27.741{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69FE6C4E1FE0DE524C5D2171E6E554D,SHA256=394C062AA681BC380287A35759E17088E6552BAAA74A6C882EA0FD647771036A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:24.733{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58275-false10.0.1.12-8000- 10341000x8000000000000000959442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.700{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75A7-6151-4777-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.684{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.684{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.684{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-75A7-6151-4777-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.684{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75A7-6151-4777-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.685{69CF5F33-75A7-6151-4777-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5F71D3BEB203311391DB0033720870B,SHA256=0BEC36225C7B539B5992D410CFFEEAD8ED838A3D1E2C794AAE1BD98878FEB04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E954525D6F3FD1B9FB03635C686EEDD8,SHA256=FA05359C76BD6DAA0CFCE84F78975C76CB7614D859881AB6220FDBB579DAA4EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.153{69CF5F33-75A6-6151-4677-00000000FD01}7402296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75A6-6151-4677-00000000FD01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-75A6-6151-4677-00000000FD01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:27.012{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75A6-6151-4677-00000000FD01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.998{69CF5F33-75A6-6151-4677-00000000FD01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:28.865{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC40725217BC92D9E2822419551ABF9F,SHA256=D919AA538F11005B2F74CA2ABD4EE5AD15D348C3B7286FFE82BD3B7911DBEB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5F71D3BEB203311391DB0033720870B,SHA256=0BEC36225C7B539B5992D410CFFEEAD8ED838A3D1E2C794AAE1BD98878FEB04D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.543{69CF5F33-75A8-6151-4877-00000000FD01}31523052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000959457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEA34170995C0888C65DDDFFC3BAF8A,SHA256=ED3C14523A359D3FB35CCA88BE80877C2249CB167BDDDA76A979BECCF4324BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75A8-6151-4877-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-75A8-6151-4877-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.387{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75A8-6151-4877-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:28.372{69CF5F33-75A8-6151-4877-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:29.928{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94D19EDD40391E720F6B1748223DED71,SHA256=5AE3DDD6BB4CBA282658DB6FC49AD7BD248182FCF005C20BEB1A5A3BA045C1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:29.928{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726478982ACF01E79787AA41929620DC,SHA256=F3A3D49BFC89E426817F8B04BC9E0A76440FF029E83D9F363778FD8D3DEA6C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:29.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EDD1C08A353538FC3FC896428C3534,SHA256=70B327F62EEE704EE9AED497882208DEB645CC0A4E2035189657C68AB4EF9766,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:26.031{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com59189-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000959487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.887{69CF5F33-75A9-6151-4A77-00000000FD01}24562264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000959486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7CCFE8F5EFDE86C5AFA5E0E3CCD966,SHA256=025D64E938FB5A436E3108EB0D015A1C3F5B83E137FEBD40F80E09FBACF9CE6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75A9-6151-4A77-00000000FD01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-75A9-6151-4A77-00000000FD01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.747{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75A9-6151-4A77-00000000FD01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.732{69CF5F33-75A9-6151-4A77-00000000FD01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000959472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.075{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75A9-6151-4977-00000000FD01}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.075{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.075{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.075{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.075{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.075{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.075{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.075{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.059{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-75A9-6151-4977-00000000FD01}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.059{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75A9-6151-4977-00000000FD01}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:29.060{69CF5F33-75A9-6151-4977-00000000FD01}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:30.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4D2447AF536273C0898AE08A2E911F,SHA256=ECE4E35D84576C62959F7B0ABF7C4C5467AF8D6792DBA0EC5544B7AB45B048D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:30.897{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF30608068EA7D2794B50A52DC262817,SHA256=7FE773774F5652F1225D7EE10F7ED4ACC0772BBE3D89864F95570FB7EEB0D2F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:28.285{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000959489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:30.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A718E2A66BA22F5DE7B53C3F25F2AF8D,SHA256=F2ABAF964C4459D0BE4FDD7480F0903CA46812979C8A6DF0A238BE640ECF8643,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:29.838{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:31.897{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900CC2CBF2FA66E3C04ACD8591E70ADB,SHA256=3339D98287EB56F6B1097F74534A5D73B0AC422088D62D2011D69C06B62084E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:31.903{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DF9EFC80743D98701F0EF1C2C8A62911,SHA256=703528D42CBD03EFD9987923752799F0EC8AB57FEDE5E17F1056E3A90997DE2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:31.439{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52459-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:32.897{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC2A3692C16D5007D99DC06C8CEC67A,SHA256=6FD94ADF5F8956D1A38BD66F21C1B8ACDACAEF6A5B51A47005C3AECEA552AFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:32.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6213663FB4E15A9BAAFA3972736853B0,SHA256=8AB8CAB9590381D04889DF69695F8D1AAD7D82E19AD3125D3C72E4293D96EFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:33.912{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8DEDAF868E5C5779C465C6D0D9CA51,SHA256=1A02006CA88B7191149C48809990E853452699709DACA3A117EFDDA9A95089B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:33.262{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED5983E4DAD0DF592E7130EFD632A3E,SHA256=7CA1C0813B7E0B7EE80FC28A1C5B6BE6A5E8A14863212420BF3D0EBE98C00FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:33.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94D19EDD40391E720F6B1748223DED71,SHA256=5AE3DDD6BB4CBA282658DB6FC49AD7BD248182FCF005C20BEB1A5A3BA045C1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:34.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE6A0AE3D433A8758BBB3B0A8F55A16,SHA256=61C54726B84B2C9EACC3F5052A78BABF470C0D629C5730EF02637B3FBBD675F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:34.584{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:30.733{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58276-false10.0.1.12-8000- 23542300x8000000000000000959496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:35.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6383B539FDD416934733E2D808DA8FA5,SHA256=80DE625C5CFB18F3BC9372022D7F49F32CAF36A5F059C557FEA7414A25061404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:35.131{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A0C131BEA199D6CD2AE4B3C0BD81BA,SHA256=B8BBBC7A763E2606F1D170B25BDDF3D674D6D275C25CAA93034DBB4DE8E969B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:36.668{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE67260C878EA2E7F36AF2486B91ECB7,SHA256=B2661F059BD62F328CEBE76DED225AFED79D6F09E40C4D18D899C4D7D0A60E6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:34.260{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001023163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:36.287{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A133AB9CB80CF8E91B4B748E10CF25E,SHA256=5DEAD1988BDF6B8325BFF40AE7857DDD3325279C01AA5069A8801B1C34E89D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:37.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6EA72935C46706A015F02697176C67,SHA256=A03940A798D05019948E67B01DB86BDAF8C9A1BC3D1BFA238AB4C300B636668C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:35.869{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:37.334{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D9FE0845CBB5C6BDE1298937FEA0C4,SHA256=8AACC94E9D298A761DAB83FD6B69446505B775468025AD95D9CF2C0C3CF35938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:37.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4586680B93341372ED2CB174CF3529A,SHA256=801466DBF6AA1D4147AEB3A8FAF1E244E5A33988CC58E0A206B16D8D1AEE9AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:37.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B25CDEE2FCEAE688ACE53F47D438C643,SHA256=504D77366EA82C033A08BD42AD3205E1D8275B54F14A8FC2FC55296450BE4DC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:34.726{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59845-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000959516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75B2-6151-4B77-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-75B2-6151-4B77-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.856{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75B2-6151-4B77-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.841{69CF5F33-75B2-6151-4B77-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000959503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:35.889{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58277-false10.0.1.12-8000- 23542300x8000000000000000959502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:38.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF05FAAA33E2ED0407A0FC397949C5E,SHA256=B04E7950BEC1BF5DFADBBA82B8527527F73A9E3964878E4C39B8F87E9C690EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:38.568{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=44A1721870336360A64C07AD9AF72EC1,SHA256=F2B36B73E59843177D53DF3C1CF2B60797141A5DC3CF666FE13DBB7D7E8DD2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:38.334{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CCE36CB240080B03B2D0D418CBAD01,SHA256=7480857734BFD8E172D56AF49FE664C8A1EDAE100466604CF1BA9C45E1B1062F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:39.950{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4586680B93341372ED2CB174CF3529A,SHA256=801466DBF6AA1D4147AEB3A8FAF1E244E5A33988CC58E0A206B16D8D1AEE9AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:39.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8208C12A28021AB7A412CFE966E688F,SHA256=1FE02608C623329109ACA8464152808F3F16BB772C0D897431CA6492455FDF75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:37.120{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de61283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:39.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E423B3469D31141D6E2999F61D5D361B,SHA256=1FC94166D76114FCFEF0F9EDFB3FAFC966D0452A26F968E12AE9CCD748A5E76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:40.716{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DF19FD34F1446C228A90FA188620CC,SHA256=D46D16CD10FC46C74FBC83D2F2F20C0603A6753E4D5FC11AC99A67CCD7D953F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:40.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DB766C9FF2CF14CA6D469A03DB0274,SHA256=97E1AC8558B5337B0ECC7E2968695D4730C5FC9A8AE4640090D4FF80CA40A991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:40.053{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52F6B5B724A825AD36F0FCB5C2EEAAF7,SHA256=1489C3856F097D1E46B28F0D7B95082E3F04DAE5154D015A677F615F6909211D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:40.053{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D24F7337455CFF38144A4331EE81B579,SHA256=E98DA4FE5C6DB1D46427FFECB4483409DD9C029549D052FBE405EE1EF604605A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:41.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=309E78322F55DF328567317E7D4445E3,SHA256=31AAE899A4DC8F49BA87665BDB5F452520993704C3CB070E3EC04E9E572E6130,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:39.065{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:41.731{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BEF4596C56D61230F2C702E94A5DA8,SHA256=E1D59AB9032A16DBC899A362E2699B9A051AF1C0C7A968B5FFC4A60DF73F5B46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:39.075{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:41.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5A99B33595F923250CDBC8780E1FBF,SHA256=E666E5FF6F9D49DE14CC690867DA518877FA305CADD6A9F7EB17AD4FB209975E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:39.625{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com55881-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:42.747{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F226A8F13C812F9CC645FC81FD70F9,SHA256=9D76136197497508F6207676E03518F144192D773F96B487C8698C7A67C9D383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:42.366{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6211E662B820275880574E9B07D0BC90,SHA256=9C52E60987041A5E873D161485D752CFA4D96194445D393DDB562A0182134544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:43.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F971D2988516DF07E425DD76C9C6E8B7,SHA256=3D7553A497D9B7878B91D2424D915FBA0AC71E067F039971853AFDC7790DA26E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:41.823{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:43.381{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7452421318520A01BF3E25C264B1B537,SHA256=083C644420918535D0B61DF1D8EF9433FE2A9903FCA02A725DA5495D0AB8D43A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:41.842{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58278-false10.0.1.12-8000- 23542300x8000000000000000959526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:44.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3AFC7B9999DDC5E942CF05DB62FBC1,SHA256=B0DDDD80815EC094DB9C6DEDA241C83E3013CA2CFCDE63A0B10B3BC1E3B01438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:44.381{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78700160A6F5A297EFA431298839D255,SHA256=B64DCF0D277AB12E399011E51DF957E6F10E525499686C9BF8CBB9415D2421FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75B9-6151-5377-00000000FC01}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-75B9-6151-5377-00000000FC01}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.881{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75B9-6151-5377-00000000FC01}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.866{5EBD8912-75B9-6151-5377-00000000FC01}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:45.616{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C19DD337B49772C26658D07345DDD9,SHA256=94E20F59A91CED147F221122E92859B36A5D6FF8710563CDD604D6053F215AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:45.778{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FAB880AE7733861D2E833182DE23DC,SHA256=CBBB4D151DE3A7F77D6F2125D3330A1B4D3C294E9F356DB5C6BCCE101EFE02E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:46.778{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC9B82A825F5C3CFE3BFA72BC9B6A96,SHA256=E1DDA30D5599F886ACE24D25EB559770DB62FBD4A358915CD3A5C181FFA15503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.584{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75BA-6151-5477-00000000FC01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-75BA-6151-5477-00000000FC01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.569{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75BA-6151-5477-00000000FC01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.554{5EBD8912-75BA-6151-5477-00000000FC01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:47.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EACA1DB73B844E108CFCC372DA0F640,SHA256=DE1777E4CD5A429F993699D1318F4B13A9E39ED92F33A8BAE62B3645A1674AD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.428{5EBD8912-75BB-6151-5577-00000000FC01}20042316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001023222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.273{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E9C14DE520EF3D88718DA503454306,SHA256=06F4B8BB95A958C4FFE5ED11200DC5BC76FC992960564F08C90CAD0923A61502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.273{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D70CF3421EFED2D12BE75EDEBFDB95,SHA256=83B10D8294B261CEC772798B7BFE5682D2BC4294D9C904E73E876A84E84904B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.273{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52F6B5B724A825AD36F0FCB5C2EEAAF7,SHA256=1489C3856F097D1E46B28F0D7B95082E3F04DAE5154D015A677F615F6909211D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75BB-6151-5577-00000000FC01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-75BB-6151-5577-00000000FC01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.256{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75BB-6151-5577-00000000FC01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.241{5EBD8912-75BB-6151-5577-00000000FC01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:47.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE77B1DBC221B6DBCC7F2384A0095EBF,SHA256=E5059BEB017A94BE81F84DC53F5D1CBFF0C9F9884735C63A80BBE36F6D97450A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:47.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5809AC80A6484E5827C1C3CFD9E47EF,SHA256=F140964FE978E06B0ECCF15A91E248CB7334678B5EF914F56FA5DE95764A8065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:48.795{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC2CB3729A872A9A7E4CB76FEA29644,SHA256=1D11EB9A5C1A8D71404EC51F77AFACBB03F36098F087D9DD91DEFC8443931A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:48.287{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2131668DE6A199B14BA4FF5CE6EA3F26,SHA256=F5916001C4E05526D56C081C2EDA6E2F7853FA950131D5DEF20B453B9A782211,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:44.690{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-65328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:48.256{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E9C14DE520EF3D88718DA503454306,SHA256=06F4B8BB95A958C4FFE5ED11200DC5BC76FC992960564F08C90CAD0923A61502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:49.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE77B1DBC221B6DBCC7F2384A0095EBF,SHA256=E5059BEB017A94BE81F84DC53F5D1CBFF0C9F9884735C63A80BBE36F6D97450A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:49.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A26A878A8F939D5D1B9D05381AA225,SHA256=3A77AD77238702E0155CD75C903222635F591D6692EE170FCAF8C16C794908FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:49.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5AA9D63C480684D19BC260326D31E8,SHA256=9DCDD0FCF226D441ED70B40E3B1A1DCE506197A4C3C77B570390CD885E4F4B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:49.016{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4220MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:46.242{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000959543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:50.812{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C048E8575C6DB6C40B86FB2A3D7723D5,SHA256=3D2AD916117B9C75DEDF1FD73D9C5A76ED4FBF236181245B69FB61B6859BB89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:50.444{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F2E07DACAFE22CBE799B244809C818A,SHA256=A75DD6615F3A26E0E5C0D3C456CF1241AE2542182102ED77BABFFA836CCAE840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:50.412{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCDA20C560463988A2A43B197BC5014,SHA256=374C65E00FD7E3C8F4EFC9F1233FA1B9E1B13BA533089C10FF97E4035DFCD877,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:47.718{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58279-false10.0.1.12-8000- 354300x8000000000000000959541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:47.029{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:50.184{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B46F0ACA1D1C96999E101B8C3AA60758,SHA256=BEA610225CC421D3EB800E37B83B7088647D1430B5C8F1E6CC3A7088192DC03A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:50.184{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5E9033269A4E72D755D6860F88B5E9B,SHA256=AFC2062483D9B070F2BD4B759C251EC803148DD260A8D5637BCE02009B27D9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:50.030{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4221MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:47.776{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000959544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:51.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784339B3CA8919F38AE5BC9592DD38DB,SHA256=9FABD6229825C3890F75C91ADA841F67A32113A33F0893B553683EB9CC9E9EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:51.412{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF83FFE338BC7B89070A46226B0CA72,SHA256=A8839FF21650B3D9AA695B7E8B9839BD30AF6068263D7A6F7ACBC979EAB523AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:48.836{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000959545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:52.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E472106C3D8C8B986B2246890F14734,SHA256=8D0D7800E44EA84CED657DA32CA1D4E7A061F84E7ACF241FCA776835F00F405D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:52.413{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC58C361676C4DD37047917866F2680,SHA256=5DC6C6F3786090412E9DE2CB071B0F7B5BFC16E3A2A0D2A4746F3F2200570F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:53.844{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B06DEB98EC04DA710C257E33A240C3,SHA256=CAE4291453F1E973DE594555E9BB9AEAE9273CEF3B6AB1BCC545D6C1B4482CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:53.616{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D11398CDEC2233ACFB0E20BB193D3A,SHA256=FDE52813AB17C2B63AE5BD4C5D892339E655665A7E1A7720B4CAC1B4EDE616F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:53.428{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A7AFEE9962ED751D30FB082E0B05DD,SHA256=19D89017E8BAC228A4FE50F9E3066570EA9B549924B80729520749530E65FBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:54.844{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF64F32B0FF3F5C77348D6736300D7E,SHA256=A7D8F976036A0F8FC1AABCA684BE9B006D4F2604C18AE71B557C6C765DE1FC3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.959{5EBD8912-75C2-6151-5677-00000000FC01}18204124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75C2-6151-5677-00000000FC01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-75C2-6151-5677-00000000FC01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.787{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75C2-6151-5677-00000000FC01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.773{5EBD8912-75C2-6151-5677-00000000FC01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:54.428{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60DB2E93250DE929CE798CC4C64F585,SHA256=A8AA93C2F850C1ACC43E145CEF5BB1C5EF3FCBFD1804A528869937F25A38862A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:52.002{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:51.936{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65300-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000959551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:55.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D12569D4C273C819A2DD5CB7384A7C06,SHA256=E2C64E66BF5153BCF0DCEB9A2E4D58987D2B55575BE65B34D58917D8B29ECD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:55.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=628696AECA041D4E44EDD238E13BCA30,SHA256=13A3ABA58D2110333F05E72D7F3BE8E06F3FA57ACC1E4C635C15620F74E1FBCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:55.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC2C962EF0E225AEB3985626BA8C4F9,SHA256=1192C58A3472A5A6F467F59790D58EA07F8F32D69B280C1CB878068A2C5066E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.662{5EBD8912-75C3-6151-5777-00000000FC01}11323344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75C3-6151-5777-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-75C3-6151-5777-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.475{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75C3-6151-5777-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.460{5EBD8912-75C3-6151-5777-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001023254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:52.917{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.428{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981161C60C5DFBF8E5289C5D25EE0C32,SHA256=BB6A60C97066C02DA3117AFF4A7556179EDE0DC1ADB00785DAAFF4AA5B8CF561,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:52.861{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58280-false10.0.1.12-8000- 354300x8000000000000000959553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:53.343{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com52848-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:56.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BD359747A3175B7F8B73396C527D8B,SHA256=9D9D84B4534597BD4CC157977866D023DAA7B3B31C320EE6E0B7970E89706DCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.710{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75C4-6151-5977-00000000FC01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-75C4-6151-5977-00000000FC01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.694{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75C4-6151-5977-00000000FC01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.680{5EBD8912-75C4-6151-5977-00000000FC01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.678{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54BBDB416C1A71545F271D38130F090,SHA256=28FF3FCE8CF2921CFFFFBD014594CA955D414BD113A70CDDCD30BAACC496F28E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.241{5EBD8912-75C4-6151-5877-00000000FC01}45562712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75C4-6151-5877-00000000FC01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-75C4-6151-5877-00000000FC01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.069{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75C4-6151-5877-00000000FC01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.054{5EBD8912-75C4-6151-5877-00000000FC01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:56.006{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A49625F3EAC8D7BB4BC4568BAAAF0942,SHA256=3B97CB96851532B2E56D46A1DF56596BFDD9F039CAFCF10541FB25AE121E5337,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:55.248{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60462-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:53.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:57.890{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EC25FBFDED7F0B8811CCD2F404FC76,SHA256=78B03C5D5267EA285E33A40D9E24B2BE1ECFFDC586D29A77C4624487AAB7BB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:57.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB87A249FC98799F443876D4A1B8D85,SHA256=4D2C937579088AEC820FAB875258F08C8C7EA5E71F5D8BF93D3C6044AA238D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:57.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D12569D4C273C819A2DD5CB7384A7C06,SHA256=E2C64E66BF5153BCF0DCEB9A2E4D58987D2B55575BE65B34D58917D8B29ECD42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:55.481{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:57.194{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADCE88A9FB2FF94DBB63422ADA923DF2,SHA256=818614065B7EF84FE7D2110EEFDFEFEBCC20608C4B5C3645AECE085D460F964E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:58.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACBD214A604075F0302FAB60F9A071D,SHA256=1B66C5F284440FF400291B803E9640DC22009D371B27D909E2CC4FB1C74FF008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:58.756{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734746D7961A55D27FF15A1F5975CD28,SHA256=07B6E625514A308070CD0228A740B5C6B12A0EB6C8B3622C103DA8E0EC74806A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:58.366{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B24190F1009E77D45739EC1E4F8ABDB0,SHA256=F8D82038A6D011A4EBF176EC048B386B838C7E58BDB4EF04FBA4DA0ECDD32430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:59.908{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125CE9843499009719F0EBFC032BDA49,SHA256=918682B60E787C024EB011D89CC25C53D85FC35A3A25D509B0BC57451E9FFC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:59.761{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A8BC83BE53595FB5D1579563E30FFC,SHA256=EC419723EF0C77FCAD890C38C626C378B9E3B6F585D82BB671683216AA48BEF6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000959568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000959567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f7bf1d6) 13241300x8000000000000000959566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b36a-0xc510e88f) 13241300x8000000000000000959565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b373-0x26d5508f) 13241300x8000000000000000959564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b37b-0x8899b88f) 13241300x8000000000000000959563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000959562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f7bf1d6) 13241300x8000000000000000959561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b36a-0xc510e88f) 13241300x8000000000000000959560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b373-0x26d5508f) 13241300x8000000000000000959559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:41:59.704{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b37b-0x8899b88f) 23542300x80000000000000001023304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:00.854{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA69DC3E34536E0199EAF8CA0341D95,SHA256=A0D40694D36C689D22A09DADB0168B83B0FFDAD6D11AE313ACD26F52957B7A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:01.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A01D5128E7088D03C1B3293D68C9077E,SHA256=DD81B9F984D9B531FCCABBF4D6FC3CFFEDC425A5C4C8D37D6A62224A0EDE99A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:01.126{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECB2FB82F7ACEEFEB8510C85656A135,SHA256=38A54AE12318F5B5ACA2E1FEB494930FB265AF16D6383C136E3DF4B7A8843541,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:58.823{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001023306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:41:58.540{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:01.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=342B602BF0F920EA71A9BE211A382C0D,SHA256=3AB624A8B4F813850950E40624C8D5C3C2D9606BAEC87A5A816300CAF42AEF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:02.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91484C8A102B9364AFA2A443CD9A0401,SHA256=64B98F6C40D5865CE4E8FC5E6BB815F4D40AF015E2D0EC5943EEFACCBE81D990,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:59.276{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:58.800{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58281-false10.0.1.12-8000- 354300x8000000000000000959573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:41:58.432{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62789-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:02.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D908E7F4BA37D9B13C7C8121A6C548A,SHA256=BDDAF65B92F20E380AD7980CD555EBAF96B5A9CE15490C3893E4D4A92A11DABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:02.089{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83EAED68EDB96450EEDF5B7882CAD4E,SHA256=45FD152ECE4DA13DDB12552DDC839496AC5FF94D67EA050F89EC83FC82500021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:03.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C534FBC86A358AFCDE54A30FD7D59F65,SHA256=F6632B7F450B2FD148DD0FFDCA239395BECFA426273B3AB4458E30DF4BDFD5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:03.151{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E374C3C133E2655447314D29A65B8FF,SHA256=4596DA96955A020FC96CF1C2121105FD71DFD43DE095936B9321A62791CD2F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:04.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5FB053CA606B6D7E4083AFEB66D0F0,SHA256=AA9D249479030335A68EDCE609F845BD0007C258BF20C44C569D806530406C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:04.151{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FC6BB3A06C5A653267BB94D5A5C35C,SHA256=E8B2F3E280077E35E007064DB13378E81279CA9A56033599BD5B70188054C457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:05.876{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11682C755743E078C8BB418207B0DE99,SHA256=A3F7C31B243F9C331B317F4C5629CD81635D0C8EBCF47449E406E4F02883E5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:05.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E56E922429618F3BB69B42CECA233DE,SHA256=FB1815514DEF6B36A6417B899DBDBF3AAECD1E446174682677C85024AA0AAD89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:04.765{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:06.167{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F0B3B5AA5410076FF1B5F91B99AC62,SHA256=3492906890A5D3E6A272C149399E897C9B697066CEBE851C9CC4975E0EDC67CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:07.182{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6A19D54B1536EEA53421A31CB9C9CA,SHA256=8862603586ACA20110B612C7E8040742EA11ED790AFDFA99E6895FF2E490C31F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:04.722{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58282-false10.0.1.12-8000- 23542300x8000000000000000959580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:07.017{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D8B0868E1B87A00E059F6C10498794,SHA256=8566F21B5E130C6F04E8DBE300FA257419CCFF984BD405782504683237C05891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:08.198{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DD4088DBA76C0736BFA05B38AAA8E4,SHA256=C1442C269118DC756F958322CF26FCB6FC4B1B469561828209FF675701110001,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:05.314{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:08.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A511B35C23431F6617C946BA8A6564D,SHA256=43A7A74BA4364841D9960F67DEBD9B6DC1E0876E887D65F5028DCBEC9EFDC553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:09.932{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECB78303EA2556265DD1E0F8ED992C5,SHA256=474CA85855C549549C2F868390A0A7A99B56257A82AF0F6261D6EF30A582FCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:09.932{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B83B09D4A7D72758D15C472BB0754763,SHA256=05594C9704D30A89BF675905E207FF887A5FA07744D3BC371BE872D80070614E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:09.198{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9515011CBA667EA94E0813B89C6C77CF,SHA256=1EAB910059D3B2A843F7B6E7694B5D5809996780E8DDDBDECCF055915B9E801E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:06.751{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com49296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:09.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13104200B6F5530FFD68F0FA338A8AAB,SHA256=5348A78BB9319A0596DCAA0A5641D13ED2711ECC42AF173E36FDE23A131FE572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:09.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B29EBC858B30924C2AC5F47AB084658,SHA256=24A1ECD14F138796FE7FA2A2CAD3FECE8CC05D40B3F8DAA6855003567757411F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:09.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6B1E78B5875B4E2000D5463406645A,SHA256=294405C37520D475DF5B0822D75D194BA15B5FA259B62B1110F8582CE3311590,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:08.289{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:10.214{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A301BEAAB6927D5395FE741CE7CCE58,SHA256=9971C8593FFD71E928C32D3FA0090B09277CBD5900A3C859467AB59089EF00F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:10.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C07B74386A34859880DFD8E7A5EE34C,SHA256=F30B5B0444BC5420F540ECE1D8A5D7DEE9D6A913EE66BF1B5ACDC836C202AA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:11.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D484B2BD2963B77B7946197BEEE1C4,SHA256=814774E43D75F2389D339FED938F70524846DB05CDA5CA5E6B1F8EC029891FF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:09.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50018-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:08.575{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:11.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13104200B6F5530FFD68F0FA338A8AAB,SHA256=5348A78BB9319A0596DCAA0A5641D13ED2711ECC42AF173E36FDE23A131FE572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:11.720{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:11.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E081D8C45E7BCDEF7D941BD376EEA89,SHA256=6C2E2253597B85F8CCF8A4CE4F8AB9A697EDDFBE9CE46E6C4B69F2CC2C01ED5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:12.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B7FC18AD78D916BA1186249034B925,SHA256=5CFEC20D6A1337498FC56FEB4B14B5C4BFD2C3FA396BE3A9FBB61030875918E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:10.362{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58284-false10.0.1.12-8089- 354300x8000000000000000959595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:09.815{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58283-false10.0.1.12-8000- 23542300x8000000000000000959594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:12.080{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6504926F6ECA89056677D5D4F59366B6,SHA256=7EB1ACA1E6F2E361840FC8F92070AB7EF2D891631C3EF29F0F6690465CE6C6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:13.245{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED6698CFA081BE3CBA0CDC719A387C5,SHA256=781F12AE762AB0CBE14B2DBEE163EC3F77C1ED76CF1FCCB8E18D7584DB6F6659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:13.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2241536C92D21BA27961BE0E99225B,SHA256=3B9ADE84B96A6E4C1DF3A0A92F087E73602E2B12946FF9CAA959CACFB7E8BCF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:10.749{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:14.261{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2BC3364C66F39B49D9B5FA13DF328F,SHA256=786022CA2EEDC20CCC306F43853BCCBFB874CCE1B827F8BB42F3A3DC64CC9BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:14.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E406F61903EF5469F981CEEFB6B5DEFE,SHA256=CD4C13F7EAE0574EF3F704FC98A8BA985FA3B3F4894AADF0D49BE8509781310F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:15.261{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C671BC43F7E7C9A3DEBDC106FF1FE84,SHA256=AE612781CE42647C0EC8595FC499CB9483EEBD9B0C15D95A6273B8634B10D67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:15.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236AB496E968B3675BB6CA31054AC880,SHA256=65B28B5D0A41418EE019ADDF4A8223CF51FA1D8A14D12693C579D5831DE6E3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:16.417{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FDB13B811A96475DEED9760BF3BFBD5,SHA256=C98CAF0E08EE9E12341134B3FA16F3E0F5DC903068B8E7348BFF7F8D26A1C016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:16.417{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECB78303EA2556265DD1E0F8ED992C5,SHA256=474CA85855C549549C2F868390A0A7A99B56257A82AF0F6261D6EF30A582FCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:16.261{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB96F559AB8B20BE231D99775FE7C0B,SHA256=2610B5363DD8F6CD0ABF17A8ADD24AB3816FD20E85A39231DA631052188962E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:16.126{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC995A65877C126A94FE7FA9B028DF2,SHA256=37CC5E61AB4B83A27EC2F23E0B1D493ADB43D9A2FD36E82DC7E82F6661B56514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:17.422{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4220MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:17.262{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330C73373900E3DF6330AA2ED0AB588E,SHA256=AB68E511016EC3A848ADCD79DF56E86C795114FEFEE1279D5192A7A92E757F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:17.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=941580BA638E4691430D55C35C9EDECA,SHA256=864ADDD4D82F36A137FEFEC11582E147A217ED9ED38C1C9C566CF100A0360359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:17.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=965B5A4B6196C64E1DC031BE26213BE7,SHA256=CF48039B0568C5F2FF269F5983D529A58A90E5009F02D213B704C9F29555572F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:13.926{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56154-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:17.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1234F5CEA6DE59588000AE46664E9EA,SHA256=2195ECBDA4DA0A636CC34EC3640FEDDF6863CFF4C0D4927DAD8BE794DAFA1060,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:15.093{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52416-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001023330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:15.093{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52416-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001023338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:18.464{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FDB13B811A96475DEED9760BF3BFBD5,SHA256=C98CAF0E08EE9E12341134B3FA16F3E0F5DC903068B8E7348BFF7F8D26A1C016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:18.435{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4221MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:18.277{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B4F02AEC6D9A5B1C65762261AC9C64,SHA256=0BB427B9A6FCF76663E43296FC5D14F9F1B0CE90FF85D972EF868FCD9B227A7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:14.852{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60488-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:18.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302054E9AD3A608BF93208B64FAED397,SHA256=04E5D4DC2B5C58B026D1955503FE064AFAC0C69A0D54BA4B5FEE805AADDC7184,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:16.843{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64540-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:16.735{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:19.279{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4108CEC5F4FAF15F6AC6FE73E140AF,SHA256=B139088EA8872C544407284252F45427D938FDD70F673A943D675B4D0C037054,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:15.771{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58285-false10.0.1.12-8000- 23542300x8000000000000000959607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:19.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE32BCBC323B6FAE6AD32DE0AF80B99,SHA256=E3A0B2DC893262D3A8279532C2B49E2533A781E41B721DC2F4DA2DF8FBA5A4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:20.510{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F48F6B3EC9DA836CE077163514DC59,SHA256=8590011631F4699F7B4002C316EB1C67696E2C69BDD8E83FD3898B8D99953094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:20.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5E024851A69D45E56D61BC26240611,SHA256=9F348563E363C828FC8D3A9FA36815A2A7FFD4D8B095322156D149C7808FD990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:21.572{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A92931F0EF013F01B7B2F7E697491E9,SHA256=F966377B7E8A1651E9400A3CB0964C3CC410AC668B1CB0931D4754AD9D6274B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:21.188{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6E8FD7BB30425A19202F23397CA7C6,SHA256=9AF82075D1CC898B64574CFCA81EFC60B175B22F3152A49692C378D4E38AF966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:22.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBD6E2E653222B32AE53454079E744C,SHA256=1214553AD606175E734FE80A8EE1903403ED145E2D5716A8D135501CD434FD70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:22.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397607A70C6AE1C85747752B9D9B89E3,SHA256=9CF5BAEB743B86918A19B039416A5A0A3A0E3B8E09A5FA5F4DC594DCA1CA6571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:23.666{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF22DA0137DC3CB5912516481AE3C92,SHA256=25FB9C977EB09DC4EF115A1109B16582DBAF4E9A5B711EE0063D0833005C4931,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:20.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com62291-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:23.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE2CC852C1C2EAAEBB94C030A3B745F,SHA256=AD4F2579332B007472641240B154BF35306D3CCE81549B36EC5D5E53DB7835CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:21.904{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000959613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:23.032{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB9B67CAB6CDD213747B8B7468093470,SHA256=DAD078C5A03C30E57711493DC1B1FC6F48F11DEEFB0A4292ECEFB9EF83DA10BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:23.032{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=941580BA638E4691430D55C35C9EDECA,SHA256=864ADDD4D82F36A137FEFEC11582E147A217ED9ED38C1C9C566CF100A0360359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:24.666{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B567C5632A0311E88F57460DAC1F2548,SHA256=261901986C05031BA079C2A2D86261EDB0542A7027769B2E622579EE4502D574,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:21.689{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58286-false10.0.1.12-8000- 23542300x8000000000000000959616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:24.219{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2E6998F2A7427CD7A33506B22B8F99,SHA256=2AB093FBD0B690C6BACF972891743C115C8592409C329CE6A2397851F30646C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:25.885{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21840F7046C49BA7BEF0A1F54BE0E0B4,SHA256=0071BDC239A11D9108100B806D38B2C61FD8468E1E678CA4ECCED0CB397BE8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:25.219{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86500B03C57919E2D09AD5761B09AA79,SHA256=B5BF88AD51B96B8747FC5F1FE1B33D37665D92747343DD55F3B244FB082F32F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:26.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932A222089F1EC7E5F3BD93DFA077C98,SHA256=B30ACC4EE5B35CAD231EFF6B88A26A274DEE891777C195BB5986D47BFF0726E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.485{69CF5F33-75E2-6151-4C77-00000000FD01}3323524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75E2-6151-4C77-00000000FD01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-75E2-6151-4C77-00000000FD01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.313{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75E2-6151-4C77-00000000FD01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.298{69CF5F33-75E2-6151-4C77-00000000FD01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.297{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9993BB39B2A7C3A90E4329DFA644D2,SHA256=CF4F78FA42D817FA62999D99BE2668758A308AAB8DC61C1E4E06CA1BD2E4001D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:24.570{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:26.525{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=391F01C58AAD5648A415F067D711D917,SHA256=37EAFA3B08EBF041B738582B717F07B09C689DB1C335BE312C844E12F6B8D72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:26.525{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E770CFA71B74AE49C8314A4B9A832AFD,SHA256=47CFA2C28D6D1B8041A105CE1F302342982BAA6F11F5C0A54E253297BD8E7EC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:24.719{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53876-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000959662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75E3-6151-4E77-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-75E3-6151-4E77-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.516{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75E3-6151-4E77-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.503{69CF5F33-75E3-6151-4E77-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.500{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD0AE7AE23EBB75C9EC71EB37DD4423,SHA256=62F5FA9E6E9F85C267E8A4AF32B9F98B2F2FBD81E5125047EE037E7C9B08D3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.500{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB9B67CAB6CDD213747B8B7468093470,SHA256=DAD078C5A03C30E57711493DC1B1FC6F48F11DEEFB0A4292ECEFB9EF83DA10BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.157{69CF5F33-75E2-6151-4D77-00000000FD01}23921992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75E2-6151-4D77-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-75E2-6151-4D77-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:27.000{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75E2-6151-4D77-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.986{69CF5F33-75E2-6151-4D77-00000000FD01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000959692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75E4-6151-5077-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-75E4-6151-5077-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.875{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75E4-6151-5077-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.861{69CF5F33-75E4-6151-5077-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBE3D140F9A398E96AC23EC75C5D564,SHA256=79EA3F03A595F64E4C0BA877D1FA9C9B31D547F82EF343F2C5993B2D0F92DB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.501{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D433D23B3682711DAFA4B8DC9394271,SHA256=D2FC35E03CEE9A2C714426A0CB4648CB52D204B68BD9A227870C9A28011520FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:28.166{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120F33E1586417F01FE1C9107882D343,SHA256=1D28CF1ABA04541B7841E1D343A6F4B99D9A727B87828A4D124BB0A827D62528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.391{69CF5F33-75E4-6151-4F77-00000000FD01}2556792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.204{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75E4-6151-4F77-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-75E4-6151-4F77-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.188{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75E4-6151-4F77-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:28.189{69CF5F33-75E4-6151-4F77-00000000FD01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000959708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:26.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58287-false10.0.1.12-8000- 10341000x8000000000000000959707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.766{69CF5F33-75E5-6151-5177-00000000FD01}26802396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.563{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75E5-6151-5177-00000000FD01}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.563{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.563{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.563{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.563{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.563{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.547{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.547{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.547{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.547{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.547{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-75E5-6151-5177-00000000FD01}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.547{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75E5-6151-5177-00000000FD01}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.548{69CF5F33-75E5-6151-5177-00000000FD01}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:29.547{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6E8EB7A0168B0D6DDA69B6DA015F2B,SHA256=12FC5348116372C83A84B4591EB6AFD71FD90925F48B57466FA619B3DCF5ACDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:27.842{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:29.181{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A655A5F177272DF769AB0F0AD71DA1,SHA256=1429D60C5D17DCB99BA45372BBF1CC076147C3699BFA5FF09BDE90F92814ABCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:30.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E74CAFEE60644ED0DC2FE9D7A257EFB,SHA256=15BF40ECF2C20A3D43BFD3A6D7ECE82B916870DDAAE50ED0A0D21E31D991A5C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:30.760{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=391F01C58AAD5648A415F067D711D917,SHA256=37EAFA3B08EBF041B738582B717F07B09C689DB1C335BE312C844E12F6B8D72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:30.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C38FECC2E401BDC7ABAE3994A372010,SHA256=793FB99E84CFDFF074236F6D51BBAD7694CBA2333B3E010FD1EEF236A82E9E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:30.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74720E264B685E1CF2718CBD3A1392B8,SHA256=4580F831A308D36EB967C987BDF2EC172ED14BC4BCB3A8C6F819BBE27D07D333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:31.907{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A664DB58238F646860586170D8544C01,SHA256=C83A5D43D94088D3F702C3FB2661019FD7457154C26B7DF1F64CD7D95CC2924A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:31.797{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99527C6E40D5EA085421F5762F1BBEB8,SHA256=A32E44FEA9CCFA964E6B155ED065D57CD0C76283418926CDBE10CED3F48FD769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:31.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7882E92C901962C68B414B459BC80B89,SHA256=9B68DAAC843552687837E40FCCBAD3C514CEBC28C8D30B7E84FA9338C571C88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:32.588{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAEE0E1BBB3BBBCD73D6F56BC2FD59F,SHA256=EBA9A332AD6627B9E50160AA4C5500C31C92A450B314B76A5150CD965380D512,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:29.115{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55571-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:33.744{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883DA1E0D7515083FE19452896925841,SHA256=BB1269E6CF61E59A7A142C41BBAA90FD51C51F30C1CE0D1B9155B71A616F2F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:33.032{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC586977DA36C63C25F45D16586662EB,SHA256=B00CF49B44A16948184811EF02300351F6C7F5C3B60849F7BD43804593F98CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:33.603{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A52E755F8F4BFE72555DCDBE071E179,SHA256=B10E3E096E5CA380D41D02164D55A3E159DD24840A5875ABF446950D0CC22DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:34.744{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBF412355AA391F6172BA02A1369462,SHA256=2F36E76D28B160FCD6C986EA5242C99CC78D1A41E02DADB36263E05E3B10FD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:34.266{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C6E3AED705FD22879DA0F2562057FF,SHA256=0AEC5D5AA18EF498F2999BE6F5791E672EFE2529C2800673C09FAE92C3650751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:34.603{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:31.961{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58056-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:31.925{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57667-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:35.978{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4ACAFF11B93560B62C1EE271D292AF,SHA256=D4A37EC4C1E1D91E3921EF5D2FC56EB6E3C2B1BE228E513CE04FDBB5187AAE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:35.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AD859CC87BD2939D7746EBB7BB1FA18,SHA256=1B3B8D0DAE7FC21CCAB27E205412329DBFE7A7E65D23B50DDAC669A7AC5855FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:35.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04A262C981056EDCB98F86BF71563629,SHA256=A27CADA2E737F27ECA809B2A52D421933D449DAA33C4888D2C3F97D58AC3AD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:35.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84537BD3654095FFF04C07C0A5ABE6C3,SHA256=E2FFB2F3D15B188C2C5199C7465557F007BAD53527A3C432D3ABD13E063CB98B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:32.357{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58712-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:36.994{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C3E88A282A9DE9553AFDC99A3436FB,SHA256=6936CEFC1C3677069EF7DE2ADE4F884FD32F2D6AF52F23BF5D868EAD5BA9F375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:36.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB860B41A3D7ADCF2E91001DDB569DC0,SHA256=6BD41C3BA07761154B6815A1CACCC4A570F519BC1D4C54C4A2CDF658465B71BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:34.280{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001023366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:33.810{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000959719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:32.705{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58288-false10.0.1.12-8000- 23542300x8000000000000000959722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:37.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C63F369E2C671A33BB8D10AC88C54A,SHA256=2BDFDAA39CF0CCB6E51F8284B0A216CF127BF33DB0BE9DF7BBA63D0CF4FC728A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:33.842{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com58479-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000959738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-75EE-6151-5277-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-75EE-6151-5277-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.751{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-75EE-6151-5277-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.736{69CF5F33-75EE-6151-5277-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.360{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DFD4E90775F891AA8247B2DEDFD165,SHA256=1BEEB6454BFB4A22879A9A727AC8AF473BFAB1FF764CA7BAF1359C71663A97A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:38.572{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9466EE1EF864EF1C13C003451CE8BBC2,SHA256=BBEA1CE3573FB681213D6A800813646B3F086386AC9BB669DAAC2539C866A230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:38.010{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A795774108EB072A8B094CE627D0375,SHA256=A551AACE88262D969AFE1A1B46C6959BA7C7F74E4173826C235E6157B8177964,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:35.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.266{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AD859CC87BD2939D7746EBB7BB1FA18,SHA256=1B3B8D0DAE7FC21CCAB27E205412329DBFE7A7E65D23B50DDAC669A7AC5855FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:39.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=600F64BD801D467C8E69ED1F32C1517B,SHA256=C345BD0FB534382C131CD6C86627AF5A845EC4B04852A11DF49BBFC6CCFAD112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:39.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3065A3E2A29CC080027BB4E6076A320E,SHA256=73CF1B9E4A2B8FD5B1CB887BC0B49691EAFAE82BA211F73D2B16FA3E56936052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:39.072{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DBE23A258EC13199B92EF85ACE94BD,SHA256=5E2600B53D763124E4AA818B9A8D0E47ED3C416C7FB3B00F69CED9C9E75A3EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:39.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3643B6699C4BC59391B21CBF6EBA99B4,SHA256=F79A9D3C0D7BE44C456A14CBEE629C12E6B4E960A95F2721EEA70E6C8E23C4F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:36.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-50863-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:39.375{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1886394BF50D2FFD67111F80FDF2E7A0,SHA256=02DDE7D41BE990DA62EA2D723AD1112A76539513405F7AEA911BBFD60EE40882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:40.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9AB5B76EA014B8A7832295F203E3D4,SHA256=2CB88E66FD25F225BEF62B18BC17150D6C530ED4B60E00AF522390D01F14E42C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:37.778{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:40.303{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5B3BA277DBE3A05681F9FF96F1B5D0,SHA256=BEC46C4905CA6BC94437BCFC4B8C6977052F014DF9878AC702B97590D89C0F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:40.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=228C4864FC53EE9E7ECA7BE57A5A3395,SHA256=B2FAD06B05E664B313F4E31358737D2666ACEF6410BC850FDF03D70747D6DBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:40.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3E276B587DA95B7EE69B805B00C23F59,SHA256=6A5D2CE898352265A99FC9906D6B0267EDB07858468D89E5085E205FFAE5D2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:41.627{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB85615904271E3E0153EF12B6C01E5,SHA256=FDCCE28BCFF62CB92D084CB945C920F3EAD4ADFBB2C058CA9DD7533F3C2C5C55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:38.920{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:41.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC119F8A34E4837213E1F1C85B7D029,SHA256=ED08A6843BF4F59DFDF3ED4CAEA29422862B7DCD6A9903EE82518BE2446A93A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:38.332{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:37.830{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58289-false10.0.1.12-8000- 23542300x8000000000000000959743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:41.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5EEDE9FDFCB43CD0A406A0C21132B03,SHA256=0FBBA28681CFB5B80A5CD05CB9A7274D711D7D58942CFE3EC7E31E5F61DA8890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:42.862{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F131EC1BBBEE467E469E5F9D26F533C4,SHA256=FAB4D5D95DE1A782C26DCA9C9A0492E799F84CF89119AC74FB68636FCF30AADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:42.444{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F6EF46907D7A2235FD56A06D99D61C,SHA256=597CEDF25BF8125B520F466331089ACD17893C68D4584CD3293CE653FBCD3BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:42.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05B3C7A0C4D56C7627D7B55E24029A5D,SHA256=7ED8A7906C25E336572FA4A1A107AF0DA20B1E48B5F48C9D8D7990D9FC6AA7CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:39.566{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:43.459{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27EA10C92DD8369B691EAE5E7BE7AD53,SHA256=60CA06D994DF359D9227F120DA49276C17D406CEAD4E320BAA2835CB55597147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:44.475{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A560AC65DB40EE53DB7E5C42104A0DE9,SHA256=F98DC3215EC60CEC3E89353A0EABBBEDD18241C74B6B01B244B45AC39D170F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:44.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E6C0062D2522E207AF741EC015B0E5,SHA256=8F8F413156066727F0EDF7E5BD96C4E6E9F704B9CDF01F4DFA73A4921C24A07B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75F5-6151-5A77-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-75F5-6151-5A77-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.803{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75F5-6151-5A77-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.773{5EBD8912-75F5-6151-5A77-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:45.475{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03782F49D2925EACAA49C179128E951E,SHA256=6545AD75CB908844C2EFB6A7E1B7755EBD4607A801BEB5D074E7F8902A40EBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:45.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B832652E3AA296BF1ECF2C6C8C324EE,SHA256=71AA3BC6494099656CD489E144B78953DE3C05F9FF613A3C98348DD342DD019E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:43.769{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58290-false10.0.1.12-8000- 354300x8000000000000000959753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:43.553{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.180-62650-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:46.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D06B6D462B23A6309B55F0F025A7E57,SHA256=122BC031A938798348ECFE3BF2C1FAE5992158F85FAF58A6AF169FB66213D231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CD3F51FFC21D0903B4E3536ED0EB391,SHA256=E78336B2E60A72942943CCB7E3BB2377FFC2B4CE91E7C0BB64AEA3F15D39651D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=600F64BD801D467C8E69ED1F32C1517B,SHA256=C345BD0FB534382C131CD6C86627AF5A845EC4B04852A11DF49BBFC6CCFAD112,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.694{5EBD8912-75F6-6151-5B77-00000000FC01}43404984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001023411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:44.823{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBC0AEAEFED5290E8E628B25E9E7A62,SHA256=2F9965B6453CEB0893C94354906CD4D8F3C24EA4EC16DAA87A3617B30AD3DDD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75F6-6151-5B77-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-75F6-6151-5B77-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.491{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75F6-6151-5B77-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:46.476{5EBD8912-75F6-6151-5B77-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.663{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F969F0C6742CA9F6D8D6C2C12733D958,SHA256=5A5C55E116E8DDE9AAEC77979C9CD7A3B2EBD6F5A2CE529F0A592ADA0390F590,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:45.467{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:47.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44369FDBF6B4FF0CAC6A81AE15E78F52,SHA256=5CB7FBDA9417F2DEC830147E0850D81E528723E6B02D159C6FE83D6529038C29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75F7-6151-5C77-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-75F7-6151-5C77-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.178{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75F7-6151-5C77-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:47.163{5EBD8912-75F7-6151-5C77-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:48.850{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC1BB9CAB60BA2F7305C784473AC648,SHA256=3689C9E7E18EBD87B5CF076279EAEDC6E9E869E18A31682DEC1D286D71941943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:48.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C4F054EB1D06CE5F3B1352C33E25E5,SHA256=301AB3B960963EDC7CDF26CE5973129F5CF24B6CCF1FE853439E6DF592C34AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:48.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CD3F51FFC21D0903B4E3536ED0EB391,SHA256=E78336B2E60A72942943CCB7E3BB2377FFC2B4CE91E7C0BB64AEA3F15D39651D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:48.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1762F7E2A9827C895A22341D5FB25C3C,SHA256=F48B4ACA99693C270D78F2EDC2883FA146C3A633E0D81E55CEFB428B6638ACD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:48.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1BA8F89848A4D43B2324F34DA5BE81,SHA256=AD8D7F9B9EAE936E76B865C1F82E26255F7A161048B552CBD37B66EC493E96F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:49.866{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7939AA8F8120AC4B882FF2304431D1B2,SHA256=2498CF7DAAACCE736B8E4280F2959BEF100681333FCF5F6FCEDDCE3CE61F3AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:49.866{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FFC09C22BA0A011F941B837FFEEB51,SHA256=591E70D92455A8E49DF4590FBAD5D7DC3B8BFA6BE555F90D141309677B2DE510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:49.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE264CA0B16353CB39B0A142F83014B,SHA256=EB872DC63896EC43956782FA5C5968FA75E9A301E8FF540B9A7985C6EFB7C433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:50.866{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DC204119361C54BF0C75583612ECEA,SHA256=4635FD89E371AA9172FA47262D76A41A34FDC4B5EAE1165BB2475477E6E86D6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:50.787{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1762F7E2A9827C895A22341D5FB25C3C,SHA256=F48B4ACA99693C270D78F2EDC2883FA146C3A633E0D81E55CEFB428B6638ACD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:50.556{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4221MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:50.475{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70793D07D1A6581FEFDF6EDA372DDE6,SHA256=DA8B217B8F4B16D3DE6C940B3C0B873F6E77829BBA7B23CCAD99126050C040C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:48.239{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55358-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:51.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E6BAE43AF5CB4105C7528CAC0C532E,SHA256=C079AD118EA08842297727C93BBE7831D7DF5AE31425698DAA21AA91184201A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:51.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97415FD9D7333F803E7C0F28CC772DEF,SHA256=132B5CD32D04427B6E66B0139AF6D68B43B9DF2CA9FC761C3AD6B70990C64ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:51.569{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4222MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:51.490{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329A395BA4495B9996C1329F099C77F0,SHA256=B575C5EC184293EABD798CE9C3826DD6996BB07325774427276B370A72B124C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:48.218{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com54877-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:52.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE85061E311D23304782F40B2EA529DA,SHA256=8CB11F12BA004E7F538B052538F123FE365CC4003131DFBBDACED562DAE7A0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:52.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF26E6FB5CB67B029A0EAAB819B8806,SHA256=C9D81ECEF518B8EC3589FB6DBC7173C6CEE5BD38F3DD2798C1A66608E603F165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:52.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF13501FDCE28278BA1D9649528BEC82,SHA256=F2529D189557397988A30AFB7B625605219D37FBF99A3EC8297792E75CCB6942,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:49.694{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58291-false10.0.1.12-8000- 354300x8000000000000000959768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:49.034{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-51806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:53.897{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D56909FB7EC2B76C005225D9EF5395,SHA256=CAB534C835A3C521F40FE2E4231D3E98A5DCACC369CD8DB18347E488A2ED6CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:53.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C5DCF8502CA40FDFDB22A3096DCB77,SHA256=ACF027398AC922F0427BB5A5E48DAC8B197FAF7F841DC33DBA53754F58A86536,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.962{5EBD8912-75FE-6151-5D77-00000000FC01}3244584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001023455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.913{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B750808FE63D63F7E9FEAD344A1EFB5,SHA256=7AED91DB4E03097965A548A156C3747EC720356B2A30FA07C192A95CA26834D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:54.506{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E88F323CC89DCEB18C3A4584BA91F0,SHA256=8FF7B461EC189041EC1A3F2C3C80576BEF158AF2A224A3F691FED8581EE92E9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75FE-6151-5D77-00000000FC01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-75FE-6151-5D77-00000000FC01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.803{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75FE-6151-5D77-00000000FC01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:54.788{5EBD8912-75FE-6151-5D77-00000000FC01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001023441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:52.411{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54856-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:51.089{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53760-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:50.729{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52424-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.913{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECE2F5A2C9A632AC8CAA39CE943AB28,SHA256=AE51F2190D4F2FA0C380DFE25F81BA457F2FCECE6DD6B50D9C391EDCD91260F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:55.522{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA44A5B8D1C291F63FCA23E51B019B4E,SHA256=79EC0D58583EF5FEB5053F0284A85F4273E964C68D9ED5AB91C1B611C685CE56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.694{5EBD8912-75FF-6151-5E77-00000000FC01}50201980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.506{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-75FF-6151-5E77-00000000FC01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-75FF-6151-5E77-00000000FC01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.491{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-75FF-6151-5E77-00000000FC01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.476{5EBD8912-75FF-6151-5E77-00000000FC01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.022{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2912F65457E8B1079799D924F867B538,SHA256=E3E3E5A5DF8FDFE680B1DA1F49F71817E5DE685F774E64C57947826CCF2AC8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.960{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A138760F285FEC43FA82CFB1BAF8ED5,SHA256=4ED5C2B186F5E63644CD32238B38AB863639B89E0F77550D818A489B76ED865F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:56.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E77E234FF5CC51810A0846C274027F,SHA256=843721D44494FC61E9D76BE45B915B20EEA73B3BEC7CED6318A1F14EDC895E7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7600-6151-6077-00000000FC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-7600-6151-6077-00000000FC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.881{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7600-6151-6077-00000000FC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.866{5EBD8912-7600-6151-6077-00000000FC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.553{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F458022BB391E7031CC9B06DB44455,SHA256=9F2B879928C72F5818FE43181DF98B854060DF8226E07EDBAC3732DB0D2CD526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7600-6151-5F77-00000000FC01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7600-6151-5F77-00000000FC01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.194{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7600-6151-5F77-00000000FC01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:56.179{5EBD8912-7600-6151-5F77-00000000FC01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:57.975{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1720EAB64DAE0266469052F8F01D2B95,SHA256=A1D7044F4C46A1FA33743E7FAD54D1E54D8ABB5F3BD3912FE85375D7490171E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:54.899{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58292-false10.0.1.12-8000- 354300x8000000000000000959778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:54.796{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:57.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C876A974D5F4579A661855F997CF9FFF,SHA256=E7CC80784E45C1BD7CCF1FBF485F963985F10B60A6F9DCF77AFA8BD459952F37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:57.053{5EBD8912-7600-6151-6077-00000000FC01}28604204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000959776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:57.475{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8842337F12237908726F39474C3EF7E,SHA256=0FBA48C29199DDE47C029FBCFE9F15ED574342E97861BD2E857C605DAFB4C190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:57.475{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032BD6F88CA11329C131403E99F51F9A,SHA256=A0F3364DB1514E66FEE80C20903ED906D0315A92DEC300F25442891D52C1ED9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:58.991{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A747EE6C7EA084A7860D959469980E,SHA256=379160DE7C7D17203B59898D45760D14C1D8B43B43583BFA1EB0EF8697793AA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:58.553{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0797EE7812E3691F22632C2526DDCF,SHA256=BE3CC00546FA15E04AEC5B404DBCCB57630DAD042E1508FF0EB1BF717968462D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:55.855{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:42:58.100{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7D8BD6241FADDC8892D78AE8ABC17B,SHA256=383214C252DE69A571953D1E8A309BA2743EB78572C559465B5A195CC1CEF535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:59.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C12954CD3A44CC0D5A6292E2D8B51D3,SHA256=D50C34B3EC947241E581575D9B845762E0DFA05937321C9362DD53CC4615997E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:00.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3FD9F12408402B223EA7473F610845,SHA256=8026EFC1D8C543CC48BA92E5FDB9AF4373881EDAD76ED7D7BC47995B3A8B3764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:00.219{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C261028F87D88DA83CC656ACD5FECD,SHA256=27BC3A154CA5E0625FD200D06E8BEF973BD28455B7BE2B96C5C819F60A0D88CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:42:59.366{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59944-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:01.555{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C4A7F6BE2F705CDF6914EAAA1B010E,SHA256=7FFB7101AEE92355AB1FEA2E3D6E297933B99A86C66D50823F8288785CAF8D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:01.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CBA448A4ECDE70B3DF7B39C411B9B6,SHA256=99C9216AA9C923470B78B4C704480616416D3BF697A1D6E1628E143DB652D25B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:00.895{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:02.438{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4569463428CEFA43A63E0880FACCA82A,SHA256=CCB341BD357B4E02E9B47D74BA8A2B3F77548B6239B48CE8A80D0BD2F29B7D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:02.774{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94B45A4B754E7B6210D51AA328C4BDC9,SHA256=62ADF567B0934608F95873F3DB9046F39C9966414EBDFE997C355B453D9327F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:02.774{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8842337F12237908726F39474C3EF7E,SHA256=0FBA48C29199DDE47C029FBCFE9F15ED574342E97861BD2E857C605DAFB4C190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:02.571{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C72271C4B770F250E9DD4A20E8AC42,SHA256=4BF268078803BE75908888D369C0A1712EE095E04D0B8C1A3A157E3DA9B6203E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:03.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A83659AC336DB60BA0D32418342014AF,SHA256=5C5683A9F79D4F785E6410D1896AEC07C9211C9B980CF26F4C1AE62B2E977103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:03.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B010DCA906CF82DA8A8168ADE06747,SHA256=44AE3C39465B4125E78751F6A0DA9C7D36847B444011684EF64D1279890B1AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:03.454{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BB2D9CCEEF7224362867A26F607F2A,SHA256=D56A87666B017C01C1548D366394170DA828BA1F395C457DADC701E0DCF3F924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:03.571{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06B3714A96AD22A01B07CB4158FD026,SHA256=59FC5B3979B4E9A2C64C293B5C761AD2F17B5995CEDE9452350859AE18BDFF10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:04.860{5EBD8912-7F30-614D-1600-00000000FC01}12681824C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:04.860{5EBD8912-7F30-614D-1600-00000000FC01}12681824C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001023514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:02.110{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:04.469{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC84EB46EC7A25FCC56E109FAC23A4A,SHA256=6D564649FF146B784FF7A8DFE7450D5FA3FE2117460B18F43B1FB2AF45A63D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:04.586{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1358020DDC93D66CC326C45E0CDB74,SHA256=AE6930A491C59B981F105016E703F93320514B6ADEB1A15A0F2547CFE69363C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:04.336{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94B45A4B754E7B6210D51AA328C4BDC9,SHA256=62ADF567B0934608F95873F3DB9046F39C9966414EBDFE997C355B453D9327F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:05.602{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5FCC71EBD1C8011C5E55403767B370,SHA256=F96A4F2E001B19D63B02728B49FCA9BA54ADB356400751BDBCBFB948D71649D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:05.641{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431B337C972029EB1014CD7B70C3191,SHA256=AFB04C19FDAF0E17F5A9D4DB1B0BF4B12BD04CCE1A2EE3617B0F903F37A169F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:02.376{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:01.788{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com51061-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:00.855{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58293-false10.0.1.12-8000- 23542300x80000000000000001023519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:06.657{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C579A6170171C1DC68F467B5E23F341D,SHA256=3BF2857629B69AAD510A8D4D9A6B02B37123AE9D635BCF2D9B83D0FB08BF5F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:06.618{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA7D66D965294F6B4F4EA913E247844,SHA256=7D7FBF6D6295CD76B5928838495C983FAF4437180D90C25AD8EB6A0A1A05E293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:06.219{5EBD8912-7F2D-614D-0B00-00000000FC01}624580C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001023523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:05.913{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52427-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001023522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:05.913{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52427-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001023521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:07.657{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806ADA900D0AE4BD80628CA303E4BFF9,SHA256=EEFA787E44D09F598B24472242BB602AF4ECE2CD104E3D1793EE0140CF63F92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:07.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3490D3D5B249ACD4F5FDD2F7A2B765DD,SHA256=599DDE9C71BDAFDAB83E17E6BE4D0EF56626C42A40D081DDC57B5C96A6B3DC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:07.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A83659AC336DB60BA0D32418342014AF,SHA256=5C5683A9F79D4F785E6410D1896AEC07C9211C9B980CF26F4C1AE62B2E977103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:08.876{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FDCCF341F32625C817EEBDFB90DFD6,SHA256=8453D4657B9ACF56F2F1B9070701717F5F13B62E79A798CF16E8DF5B522988E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:08.649{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D322C6A2B890C1CC1FF5BBF500CB55,SHA256=DD29A7A487E5D234626C98B5617434E5C933030F0FB18B118335285E571B788B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:06.817{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000959798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:09.665{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304AEAF3B037395DD840BF9E8D1F17B7,SHA256=2EA17933F724D0E65D19DADE2737058086A607ED71C470D3F77C427FFC2B14D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:10.680{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1F08DDAEE8FA43B6FA96171E963FF0,SHA256=A14D9D1217A2C2C4A924E37E7B17AF6962C5E4E71F201FE4B13E39868AACFB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:10.969{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48D815A2AA41FC279C29FB507C6E1CD5,SHA256=DCC0E803FB33F1991C7528E0F0D4D75B2A223EC3B6A681050A66BE9FC6D0E845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:10.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA5BC8CB26C1E5F2BB22F1836B47834,SHA256=EF8A66FBD593E2CD3D17EC01BF6835D091D7127E8A63C672677D88DE37E8E2BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:06.775{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58294-false10.0.1.12-8000- 23542300x8000000000000000959802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:11.743{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:11.696{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34E375C722300AD423739A8D011DA50,SHA256=29D489E37E892FEA895564E09C9DC539A6EBC2B37220363F1B1FB2342865F74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:11.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF774C86D33E559C8415660DF230FC99,SHA256=0A86AB80D119589A853FFBD6BE0E93541047306255517CAEE3E0912F6322BDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:12.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EBB41D092372031927D15E1FB1BEF7D,SHA256=1D6921C90E08E4EDB33F7545537B96B22F813FA3CF4E1FE10060750FFB134E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:12.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CBF45A46DC32544F6976FB3C09DC090,SHA256=022236A42963A7072699784142750533624A33C90B9BF052C8DBD944C6901D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:12.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61232B3A31C33B5FAC4DC00CDE5751B8,SHA256=5129E21EAA896B86C89BE0225B693D560FACF390A528E71FA054447F9E5E6BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:12.126{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA46DF5A12F04C8DC7994E16DD63A27,SHA256=E7F377B05B37F7AF747A2BE23BB9E2F42E4D3253F529CDA1260C43926F39BC0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:09.369{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56605-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000959808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:13.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7FA053BB9FBC97344EF4C177F9E1B4,SHA256=F1C3E9161A84318DDAD0B8A11EAEC30ACFE65B99E0D40D30ADBE9961E14ABD26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:10.384{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58295-false10.0.1.12-8089- 354300x8000000000000000959806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:10.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:13.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07B94AF5DAFF385963AA1D7EEEFF9F11,SHA256=4B2DB1DA6B619F5B503A3A14F99E93984826D74AB6FC31D4DA88764903A62D46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:09.826{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49739-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:13.141{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B00AF25BDA888EDFF827CEEE4DA4AC,SHA256=631EF62011AE386F4D6C73BCE6796F1467304ED87A72BD82B98BB39E81106630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:14.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51AB5BCCBABC9EB81FB76CB6AC9EB7A,SHA256=637CBC78B43408A75FA3E5C267D791B0A5B46BBF1E1B1FCC58D1015AB9AA4202,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:11.723{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58476-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:14.173{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2973D4373841C117797E2E321A14D1B2,SHA256=191E14CEC18AB997B6F666037F1CA614CAB171958812328F47D1C70B44141552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:15.743{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0ACC74C4E7A6468E2F07FA117A02E07,SHA256=61E8A82BA4F3FA961A7C82034DFC1734D4FAD8D823CAC15F56A8AE35A7AABEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:15.282{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27628C02C5967F42AFC7EFEC094B3431,SHA256=8BC2A07FF24CA2E8688713D135D66A721FAE19E69E6433A3AF29BF57FE8D74A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:12.759{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58296-false10.0.1.12-8000- 354300x80000000000000001023536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:12.864{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000959812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:16.743{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F7A2DE49B29C15185188713FCFC502,SHA256=69B628D1C55FEF08C7DBEC61BE25DF386B60E35978EA5B96CBFFFC51223DE527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:16.469{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A433AB0790530DA33B6C3D6885F587,SHA256=A1935B594A28BD713FBBF179B8E72ABA92955CA8C81E451CD67FBE62263635FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:16.313{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73A042F5014BB17026AB54DB45011C7,SHA256=D88F65CCDD8E7113DCDACC23720F1FEC72B8B16AD73D2BF543EC761FBB7DCE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:17.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70D2D7B63A1E6C1DF841CC5C6876779D,SHA256=D1D54CE3102597CD3CA0D74F0410EF0547A26F7B8286C097F7709BC603BFD081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:17.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EBB41D092372031927D15E1FB1BEF7D,SHA256=1D6921C90E08E4EDB33F7545537B96B22F813FA3CF4E1FE10060750FFB134E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:17.758{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB2DD56844D8B3D6A7FB8CB04277DF6,SHA256=789BF84FD29A7407232C0EEC94CE486C1BC1AAB83DC25C953D90201E9DE80414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:17.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4880672B1E5843F7111567FB537BD023,SHA256=EE5F37F3764F17EEAC03F753F264AF2025DD2AF3B09EB3C65D450C55F2C9E809,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:15.114{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52430-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001023540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:15.114{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52430-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x8000000000000000959817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:18.774{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AEBEAEF2FDFF4B714A4BC6766B5B8C,SHA256=748B1D8E005AF5D9B594427C402557B188E27043B802051A0EC518CAB46D4DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:18.959{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4221MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:18.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0602B42C31A569AAAD0BEA328D1A6B0,SHA256=B23FA24072D2DACAEC66F3F27DA79EE6CC6EA2AB569E3CB805885CC05E509DCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:16.877{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:18.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497D9AB4094AA227A4382D323C088B99,SHA256=F38484F9220145CC5BF935A3E456E9B6EF885D88572C76C1E9C2E80E68A12565,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:15.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com64193-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:19.785{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680D70F49F05B600046F24943D24013C,SHA256=3247C5475E86C9946B2FA1B2D4603D383A8F8A42514A05EF5F20AECF773941A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:19.967{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4222MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:19.731{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89D60CE4370DDAAB5D5D326F33C485A,SHA256=9DDC6D98C3F946E4E663A8E21D6CFCA21631CB3DBCA49E26DE96412C7B60248B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:15.856{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:20.785{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE146C72A92D96E16D39E24C1442194,SHA256=A291F26F25362E4A44E73511C0CCCD1B27E00A5041B3C0326829134EF3B541AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:18.810{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:20.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F228CE378A0E071C20CAF69390AAB9CA,SHA256=7D8DC4AE76FA148D05C3CB16D6F2678BBBFB21481F4FF468ECEA4160A6443335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:21.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443228691907C8B2F0467BDF6A41C6DB,SHA256=A5070012E15AD49F0C2A95216D193284D3BF51ECD03BE5D5823335C783F2DD88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:18.723{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58297-false10.0.1.12-8000- 354300x8000000000000000959823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:18.307{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:18.298{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:21.794{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C844301E1B333AB1898D0CB8B5A3A7,SHA256=559D162FC50EE1342DC44853F85D741761954C451A28F458A25489371DBE39EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:21.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70D2D7B63A1E6C1DF841CC5C6876779D,SHA256=D1D54CE3102597CD3CA0D74F0410EF0547A26F7B8286C097F7709BC603BFD081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:22.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5EB5D47D6D5A821316CC773381EDA2,SHA256=5BF20D0544280FBB154725C206D3DC06F04B2D978FA0F6DE68A2D99029F5A096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:22.794{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E72428C2072399D49AA9C92BBC32A54,SHA256=19FF0F841F406363F3C79E482A9539E8BE803745A37B8593B780C0FBCC96B388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:23.832{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A408C4909D31FE9C0FCF51D83BC3D2,SHA256=6A2BFB4AA4BE5FFD2E5AA85A334E59DB3CB42A86F8475B9515ECAD4F3C578EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:23.796{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC89C5FB49C26823DB7162898F60C29,SHA256=B7B49F6DF5392D33F6A23180A28DC885243491CE763039216FF27DAA0180ADCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:24.832{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F7D056AAD80FCFA4D682983D0B0E8F7,SHA256=38DA9C72F162C023D73871D2EE84AAF55B7FC391347102D7D4BE31ACDE722776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:24.811{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AED6D470663662D5D7FDA408B87EE07,SHA256=10453F8B9C54C5BF4CE23213A16394120998E795D35A0559131FC8CF2AECCA3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:23.182{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.237unn-212-102-34-237.datapacket.com37846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:25.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53F550166CB8D14B2B30DBF169D12D1B,SHA256=31951A5CE292B38FC3163AADBCB2C075F7036445A5EE134F6E508899EE649BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:25.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB52B94279C2FD4379C8644EB0D21D4D,SHA256=C22E224C6EC632CBF55DB1EEAF1E5EBA85397FA3147BD2D60DC633C78504EA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:25.858{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50074420C84CBC6F8B7D6CE4C8A93578,SHA256=8A0D1BB5601C33915D87E18D8160A8FAA044833653929A300968C2B98FB8590F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:25.858{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=517FE7500C54F3C8383336C49C0C394D,SHA256=387D9CA64E9326553877F429984E3FA6C561A73E26DBE4F05E39C9DB3B731036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:25.811{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71313958CDF96C7F36B8648EF4EBCCF,SHA256=803265090923CC5ADAF7A9C97C345C292DDD2B19D7AABBE9412733C3AE1934DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:23.400{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57973-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:26.811{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D913B6672C272B832F6C4D207CC33960,SHA256=E819CF405AB72898AA413CEC3F29C0DA67157FAB65718B8854C95231AB98142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-761E-6151-5477-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-761E-6151-5477-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.972{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-761E-6151-5477-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.958{69CF5F33-761E-6151-5477-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E24A5E1ADCB92B52F529895A00B317C,SHA256=88C8FDE26794B732D73A5CFE5936D79DE6C774C08801F8CECF1CD41BFAAC8206,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.582{69CF5F33-761E-6151-5377-00000000FD01}19763376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-761E-6151-5377-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-761E-6151-5377-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.332{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-761E-6151-5377-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:26.301{69CF5F33-761E-6151-5377-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:27.827{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC802EA724D0FF22D281F0D82251D2E,SHA256=6C6EA0CB0971D5498F7AE4892438D0970D70B9EED91BF58F453D17EF5496EE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020165C111CD1D1D23B62A0DE99A18D6,SHA256=35034D023F5BF440127FF4FCD14FD8138452ECFEE3BF84E267C8CA8EC405F6D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:24.768{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000959874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-761F-6151-5577-00000000FD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.597{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.582{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-761F-6151-5577-00000000FD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.582{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-761F-6151-5577-00000000FD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.583{69CF5F33-761F-6151-5577-00000000FD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C31F9AD57665082AE81BA16DD262666,SHA256=19005873245D798329E7750673E761E16358EEB090A46488521E436B8D2740F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:27.160{69CF5F33-761E-6151-5477-00000000FD01}36761328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001023562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:28.905{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C605C6D8F700AC849F70B1601881A612,SHA256=496B8733E1481F0B3DD3CB92EB82F9D84930BCC6B09A028FF59707C952A21BF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7620-6151-5777-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.988{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.972{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.972{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-7620-6151-5777-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.972{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7620-6151-5777-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.958{69CF5F33-7620-6151-5777-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.972{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B14C54493AE997BC43A169428E012D,SHA256=765375DF4BA346A4774B64F684073A6C995C90715F5AD1C70D0543F0C604FFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=799F18BECD9E203B40CC3564DC0A8F75,SHA256=F79628D91942DDA994BF8E58A87FC987A900872EB6B9EFDB638D332185E62A72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.457{69CF5F33-7620-6151-5677-00000000FD01}31082572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.300{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7620-6151-5677-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-7620-6151-5677-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.285{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7620-6151-5677-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:28.270{69CF5F33-7620-6151-5677-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000959877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:24.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:24.692{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58298-false10.0.1.12-8000- 354300x80000000000000001023564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:27.599{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-49836-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:29.077{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50074420C84CBC6F8B7D6CE4C8A93578,SHA256=8A0D1BB5601C33915D87E18D8160A8FAA044833653929A300968C2B98FB8590F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.972{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8884601758319532AAEBB34CA806FB2D,SHA256=D525CB022D12E1C003F7AEC909C0FC18BFA39482CB8C9C0A76EC18136DDBB1A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.816{69CF5F33-7621-6151-5877-00000000FD01}7361616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7621-6151-5877-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-7621-6151-5877-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.675{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7621-6151-5877-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.660{69CF5F33-7621-6151-5877-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:30.238{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95287CEE6DC22A5AB1707BAD0C3FC00B,SHA256=225BCA6DA05FB4D2EAFE0F7E6B7DE5B3EF272027FB3397AA9040AA0DD4AB269D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:28.097{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56022-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001023566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 07:43:30.218{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b373-0x5d82c6c5) 23542300x80000000000000001023565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:30.139{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6756A06C318C203A707B468C9ED4CEC9,SHA256=9E8D249D740A9CC018B15B6254317E0FC9D8554F97F699FC9AE172C2AEDA0CDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:29.864{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:31.358{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34774B4601C30019C473DBA150E60D20,SHA256=8B936D8226FF1A3CC91DB0CCC77D47E709669B4E9A7E4720CA7A545B41EE34BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:31.910{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B38FC9A7D485A4897AD2A2F9C8FD1416,SHA256=22222B78A7BAD3508DC3A7E972D8F44BC4C2E25E9BA373BC49E3437CC4C0536B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:31.472{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E3D54E3277BB6FDC39892849151F42,SHA256=113F9608F6B4A9EA9A3B66B221E059713E0634A32270873426B495DE009A1E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:32.593{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86878BF8E400DF54F2FF1C2BF4AA8779,SHA256=90EF3792D09F62EFAF579DDC860796DF27FEB37CA0874C88AD6BCC1128BB4E86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:29.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58299-false10.0.1.12-8000- 23542300x8000000000000000959925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:32.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321291B27FD45A266F40F15EE9E0EDCA,SHA256=695D1780E2AA85E3A6575D0B3BE8659F6DF97B3E24ADCA2E39EC88794713F847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:33.827{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406FACB9419AAB34B70AEB12238963CC,SHA256=A6F24EFD2D5D2F7F51BCCD0DBFD82DE6FD1F20FDAFF226B6C895F98E8F4F0EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:33.894{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C23838F1C82AED1B6369119EDAE80ED,SHA256=53EF1CCBB455E923D52D3F41AAD2341173F9EECB5B9DFDF8F19978CED313C2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:34.894{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8FCCA52F13BF8A0D705363BD9383FA,SHA256=C6F877D20EF3832165DA5DE67D29725F3FA74B27351DF35CA9CDB468EDEDA0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:34.624{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:34.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BFB37E9A98D4BF378C0770A59901640,SHA256=10AE07B0C7990212063788FED82E1496F8692D951ED3F6441790999AE42D06E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:35.910{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4EFE56EED2F680C7930D182054D2E4,SHA256=B66FDCF3DFD06F4DE840DFCA48C50216BD22E1E2594B1AA58C428A88507CA073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:34.999{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF876315E0380CB65CA6AE07392A8AB2,SHA256=ADE405B3019FA7EB31804AB96779896DAB0393DF9C8624F614CB29839E621221,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:31.826{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com60508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:31.797{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:36.925{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2449F46FEC7E4CFAAA098F2DE11C504A,SHA256=9EC1E2E39DC16A8A79505E34D553A967C6E0E3C86FF009742B814E10E885A8F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:34.300{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001023574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:36.218{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB38A5889B850F6F8C4B55EDBD57E888,SHA256=35849FC2AB9C4A3762BBED7A1F8EF75595DDA8164EE47710E85FAE46936CBBF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:37.941{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440196805AAF4ED30D4A5181CEC8E14C,SHA256=3EF333417C741C11F4F0821CB09C50B92D4E3B5322796CE903C30B8FBADBD1B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:35.800{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:37.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A01F92279CC8F64ED2C5956F79A6779,SHA256=79AAEE2FC857A913B91F254865BDD53A65179C9FBEB122FF4A72C56B8C04E210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:37.269{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B525A75801CDA2AAED89D32D1393DC80,SHA256=A2BDFD27BD5103B13297BC2CF48FD0A64F867383A0FF5496464A357816D51317,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:34.549{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5A4ECC644F5587F4B5988C377A3FA4,SHA256=9D76D1EE86EEF950F9045711F2CA8A9B7B7C76D987AF9DCEA3F7900CE41E867A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:38.577{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=54D8BDDC7782D8D7E43ED6A2572F8C3F,SHA256=553931D913A0CFA11E6C2F047A9FE49BD732808B3E0BF63C1E790704A62CFC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:38.499{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF21465D745F5C4B51DA040F0594C56,SHA256=5BAA6840C8E737D8B9C2A40F1190421A983A7D7CF60186D9CD9651BABD8EE5CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000959949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-762A-6151-5977-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.769{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000959939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.753{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-762A-6151-5977-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000959938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.753{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-762A-6151-5977-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000959937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:38.754{69CF5F33-762A-6151-5977-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:39.530{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26FDE587D76E0116183805456152E44,SHA256=6E605E7E108BF1F1D41B7F6DB738FA1E097FD73C588427BD4259CADBB3D52A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:39.804{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76A07659ABF2573257CBFF5EA1EF6A9F,SHA256=5321CECF5A13559E86EF2B90AC9C90DD18E6B1A8F407F3732EBFBB8DF3C35500,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:35.801{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58300-false10.0.1.12-8000- 23542300x80000000000000001023581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:40.750{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39356DD4F75B65927E3D06C967BF0A93,SHA256=85A4B5C8B8B17B5C6547FD64BC69EBA3EF1A57503A03A46DD9EC6F849B13CD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:40.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63493AA3228E843B87F73FB727BF26C8,SHA256=F80BEC8C1B5A8C5405342D8F977596C0388ED8C98A9355CA5C013C8888C500B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:41.828{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B8AFAF297518E3BCB9977F365A6ED3,SHA256=546BF0E25FB426CE0ACA150829ACB6CD3CF60DF323A3B0F15F0206382219E239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:41.429{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC678AEE870EA81A9517149488D612A7,SHA256=6C86384E092CE25D325A759937F09BAA1BB15EEEA8831C49DBBCDC1E2983DE30,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000959954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:43:41.382{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b373-0x642a4dfa) 23542300x80000000000000001023583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:42.969{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614FDCFAC28A4E506B05CB6E3A764A38,SHA256=AC07D0D9D639029E0624674474CAA12805F03C8DE2B6F54AEDE46FEF9B0B7799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:42.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD77654664F072A1341837810B7423B0,SHA256=639AA69B53DC855F6CD1AE5A3136B58A7552AF6E8B4EABCAE4C691638632B5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:43.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9980E3220021D209D191CFD105EFB5,SHA256=51B5007DC103C681085C9A81A3ADBFCE663365DBBB09C3FAC42B2150F37C429B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:44.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F5D9A8614EF27485306B56F2D46125,SHA256=859A883CEBAEC03F8A0DB3E4322EEA5037ED5BA5FFCB8DA510EA25C754F6C3FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:41.785{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:44.187{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99BCD85E686327ED3A95AAC34BEC866,SHA256=8C9C30EB64A734A5B8965536BFBF68220BCEDF4BBE6A64939477E5C8AEDCFB2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.844{5EBD8912-7631-6151-6177-00000000FC01}1004820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7631-6151-6177-00000000FC01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.641{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7631-6151-6177-00000000FC01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.625{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7631-6151-6177-00000000FC01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.626{5EBD8912-7631-6151-6177-00000000FC01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:45.312{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833D2CCFA8226AC54F66632A8C1B79DA,SHA256=00530BEE4DBB67518088C794944D1486DEFBE85D3586C659BE677D987FD47EAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:42.204{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com56706-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:41.711{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58301-false10.0.1.12-8000- 23542300x8000000000000000959960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:45.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FD0013ED7D24DEEAFF5E6B4D43E6F96,SHA256=3250A892FBC4300845BC76AE66D13EDF91DB72B031E395C08E2CEAC82C1B9791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:45.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF20908AD79521B5FEE435CAD77D1CC,SHA256=0F335D8C3388195E083EE26C7602E564C24B49F0C2F9D56E71B10A8A8048EF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DEEBC0FD4D3BD758B5D4E05359FC4E5,SHA256=99CE2F8DDBBD80765AF8CD519C94FDBB047109B41ABB965350BBD3E50503B45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60E04ED43E77F56340BB53FF2355550C,SHA256=15AD62BBA67DB97501B26538C8FD4628F470C2EB1BF4D5A8DBAE9ACCDBB83FB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.812{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7632-6151-6377-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-7632-6151-6377-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.797{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7632-6151-6377-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.784{5EBD8912-7632-6151-6377-00000000FC01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.781{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1610B70981D8244589D3C2C802E8EF8,SHA256=194F847E6419A05C6FAC5BB2102098C60B7EA32523AEB0C749BAE6EA3577C41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:46.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2ED7AD2D810AF490C392BC3B582CDD0,SHA256=2AA4FEFCBE70A6D7BB212AAA2F86CDC09886A0719B2A9E66EA92369457787A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.172{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7632-6151-6277-00000000FC01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-7632-6151-6277-00000000FC01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.157{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7632-6151-6277-00000000FC01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.142{5EBD8912-7632-6151-6277-00000000FC01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000959964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:47.023{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE2A5A211905C6948EB35DC776A6B7D,SHA256=CFF5443FCB9D4EDC8636D3A26F7CE7559CEB2FEE63D5D3A57CD48E78046C0C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:48.038{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5011BEBAFF7D5004A94A35E7D3551F,SHA256=A87E4ACAD88E32CB15A6D75B1781C9590E27B8396F47AD4430331F933572E7B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:46.817{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:48.828{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DEEBC0FD4D3BD758B5D4E05359FC4E5,SHA256=99CE2F8DDBBD80765AF8CD519C94FDBB047109B41ABB965350BBD3E50503B45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:48.000{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC10760535A70A932D61E24A4F00C5E4,SHA256=566F8133E39181E564BB524C4971641FE5C4DA6C43BB94B7C31F0DC6965E7976,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:46.820{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58302-false10.0.1.12-8000- 23542300x8000000000000000959966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:49.038{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DC418270C0C843919C88D1B56C6BFB,SHA256=8B212917BE515A3DB4D8238B2FD9B0EBA05A22D9915135D95469BD727722B0A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:47.707{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:49.016{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC2AA5F479EB09350FE8CBE162EC2E8,SHA256=02FDDD882794D1B960F94C5650B2B7F16BE0D85240A53E02EBBF860FF63895E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:50.906{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94CF5C3CA9969BC2458DD7496AD7919D,SHA256=6A449C99276C99522530CC3119D0C4C977B15BB9332AA18E49099C499E7C2247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:50.016{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC299A4FF91EF47F46360A5434AEB5D4,SHA256=AB3321727BA0EE38ECFC922E2E355BFA0FC9BF94D0C555FC063309D1A9DA8856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:50.054{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABD4651434559ADE827F5FC5A715EA7,SHA256=B76EA0CC01E5577B5C5C8B799141D6A66782BC1A7B2783CAF426B2406B37BCBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:51.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AD5C5BD1707A2DFB4FBF80F693637A,SHA256=9F38AEA61259D3A15E1EE5E4625B4CEB66B7A09999AFEE27E9747992F051DFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:51.069{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FF5C7B17D2E1C41FC7C64E91E24294,SHA256=C97E5403F4B23EC036AE2720301B6AC993B5C8E326A27F2A7D540F376C1CB68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:52.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91D210B44B2E098468E6B34E335F7B3,SHA256=3D10025F62512D664A83F922BAFC0AC960CEFF770AFB4FB160CB279EE340EA02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:52.087{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4222MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:52.069{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D52CC174AE1782C94D75447D8E61A2,SHA256=927BD514FD2D988B9506B6315CFA85AF354A66F17D4CBF99B0A5893A6D685BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:52.125{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D302741438A7FF814EBD90E90CC6A26,SHA256=D95B0FC1D0F7F6C7BB42C04E0B82C422D9334888B7101774C1DF859886BB8906,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:49.836{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:49.436{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:49.089{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57244-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:53.703{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75CB2336C402D5F1A2C8F2415135EC5,SHA256=BDACDE0926425EDD83210D375F0D3ED9028C60B5D0B4034FF1E4B2521458C32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:53.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AD5B1DF0ED6DA8FABA68E369A8D17D,SHA256=B7EE70527FB968F4B2B37334ACF7053AE754E2CECA1465F8D91D6B10B5492DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:53.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB7607F5D49B2DB4308593029BB4099B,SHA256=E284EC31F3EFA36486DA05AD68FB619B9C5D96BD56373211BCB5742505EE4487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:53.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FD0013ED7D24DEEAFF5E6B4D43E6F96,SHA256=3250A892FBC4300845BC76AE66D13EDF91DB72B031E395C08E2CEAC82C1B9791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:53.101{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4223MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:53.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C235B29C62A4CFC1153335217B2041,SHA256=F3F81F038F3D55146638B3FD2A554CB5A86AB573D758236B55C1D39F838855B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:50.690{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58205-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001023660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-763A-6151-6477-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-763A-6151-6477-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.812{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-763A-6151-6477-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.798{5EBD8912-763A-6151-6477-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:54.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93B3F90827E441B6AA480E196D31E5F,SHA256=C8C1BFFD7457280B13CFF70430242C4649B8B29007BDBE4F3A77DA7E822F8C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:54.100{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB63712C855E0E8FCD9E305580EEFBE,SHA256=9C275D437D977446B317A848E4339A07A87D1A127A5CBF6AE2C336CEA53D826E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:52.043{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59222-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000959976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:51.111{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-54660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0B0F253FCBCF2FD645FB46820B252D,SHA256=A3D1497CB0277C61309D598B46703FE18A2103601730BA087264842807A90EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.687{5EBD8912-763B-6151-6577-00000000FC01}39644916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-763B-6151-6577-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-763B-6151-6577-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.500{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-763B-6151-6577-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.485{5EBD8912-763B-6151-6577-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.406{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C020322C4E9E93FE4B857B888502999,SHA256=E30380332E2DFE47DA4F6F50A02B2601F3EDFC24338A2EE1E19B89B671B4EE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:55.116{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABAAE6D41D9DE4E2E04A25360D93739,SHA256=53F4BECD816CF4AFB74DF877193C41D155482D818FEC4A1BB1AF2AD46A583233,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:52.723{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001023661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:55.109{5EBD8912-763A-6151-6477-00000000FC01}20924436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.906{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-763C-6151-6777-00000000FC01}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-763C-6151-6777-00000000FC01}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.891{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-763C-6151-6777-00000000FC01}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.876{5EBD8912-763C-6151-6777-00000000FC01}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.469{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504E1A70897D533DD84AB3B59791A3EB,SHA256=15F72B7535569F808EC24F17D7A12D09B5C431F7057F3AABCA72152D756A0EA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.422{5EBD8912-763C-6151-6677-00000000FC01}32642140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000959979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:56.131{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203A394E948AB5849DFA3F15A8876A85,SHA256=975159CBECB45EF30EF476F5390D3C961AB0CA591E2284CC79CE0AA909D17AA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.203{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-763C-6151-6677-00000000FC01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.203{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.187{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.187{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.187{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.187{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-763C-6151-6677-00000000FC01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.187{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-763C-6151-6677-00000000FC01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.173{5EBD8912-763C-6151-6677-00000000FC01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:57.422{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567E8392E354F9CD395E6C540A3DA743,SHA256=1F3F244CAD0D0BCB6886F80EA8C2B5619E8E13000820C17F3B27C9C19B8265CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:57.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A303DEB668DC0515E773B22E12CF7BB9,SHA256=41BA8188FB506ACA7134999256AFBB7D0D456ECEB6B643D40036D651258D3B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:57.188{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41EA5E4B24B67AF381779F18BC28C0D8,SHA256=04E069170947DFE7B232A82F1DBF22435D50ACDA846FDE99E2F056C5C9F53C68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:52.820{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58303-false10.0.1.12-8000- 23542300x80000000000000001023710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:58.734{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FA43089B1BEEDE3D1E404655EC56C6,SHA256=3005F3F2DDA700C3BF8EA99A2D06BF3A1D81822CD26FF6CAB909CBF296B8FA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:58.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D213D115BA58FE73A76538AE90B00605,SHA256=C58FC3DB4F7D79855CB5B42682D788840DB5C045449674537DB1C4A0304EA9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:58.475{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB7607F5D49B2DB4308593029BB4099B,SHA256=E284EC31F3EFA36486DA05AD68FB619B9C5D96BD56373211BCB5742505EE4487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:58.147{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6F7916055B2C6ACE6D3F894BE75F05,SHA256=D2D0BFFD31AAB31CF2380EC579C18D09EAB03B4E3D3147FDCA49CFF5864FB09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:59.453{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C749FE24FCBAD0AE016ACAF5BE5068F6,SHA256=87B75009AFA4A6EE7565DF5DDB6528E714B8A3B4D48D12C9AA1EACF4F7783336,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:56.554{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:56.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63157-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:55.921{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com53645-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:59.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C775CBF31F943D60BAF7A5EA82354AC6,SHA256=F61DEEDA18F8EF879E19897B60C1FB4B84285B26F35BA83396958B97EADCF7D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:56.865{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61997-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:00.466{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C27BE729A5ACF7656B03A7C198313E,SHA256=003AD0B03FEB9885376BDA7C320DAB885C8F91F048D8EFB94B908704B75AF271,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:57.369{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:00.176{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CCE7635F7CCA1958802836C24E3079,SHA256=079E58B7F7127CA80703D31260B89E7979140B323001FE22C06484B24109D6DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:43:58.707{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000959988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:00.051{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC912618FEFABB9E5576AA0019D895AC,SHA256=D27DCFB8165409F0E211F3A39936007068DFF8C7AF19CA52E58362C617608DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:01.466{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B10293A69223E38355F67AA8A7B69D,SHA256=2383C4CB7253961B0095DE7B7808BECF05223E61DC37FCBEC766430F899DA36D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:58.515{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64716-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000959993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:43:57.898{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58304-false10.0.1.12-8000- 23542300x8000000000000000959992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:01.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=985981E9803221CDB17CB11A75733A21,SHA256=F3F6274E671A6E3BB549444F8445E479BA54E59AD6D5E761271B7B5F3B4CE424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:01.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2392D15560F937BBA7AF0F5F12F190D3,SHA256=58D3F0CBC62BC425EE2601C92B36BB3F823055F2F9BB8E0632FA0B6ED2DA76DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:02.466{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D920BD6AC948ADCFEDDE9D8048EAD25,SHA256=2CBB58CD94FCC52FACEB4232EBFB62B0282A700362B6F4F8E00B656051FA5FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:02.207{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF236897B2A9B9C66B4B8330736E11A,SHA256=C3A92B84F6360FAF567E106C8CD39F77D937602EABDCC6FCB7E372B3602C1446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:03.482{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E381EB383894F0070ADFD1EAA314686A,SHA256=8B453F0A85ECEC3D84194BC05C9F96B08D280F991617BFC5D6C5F21F53916D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:03.223{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DAB08DF34C59120E627ADFB22BE2D4,SHA256=183402B10A5FFA8F9ED40BBCEF0FB4F402BE4F5F924E739D37DDC807A4A1D62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:04.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49A5E09D65362ACF10B86F00D79FF8BB,SHA256=9E732C64BFB09276000A39024534B3685AB77D75F3CC9AE056657B4098AB3880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:04.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9376D17CB346AC98E564E63EC6D70FD1,SHA256=4DCCE801BEE4FA853DBCC0EFDCBCDA04A430B2C2D89FDF59682489BE0247B86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:04.482{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAE5338BD9C8C2844F5DB432A30B28B,SHA256=753F1E4E3C6F0DDD21FE57E5EC79D9059090F6BE2CA25E02A381B23E98051BF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000959998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:00.991{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000959997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:04.239{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A183A00C228ABDFE1986765D689A9846,SHA256=7E23336206064EA66F52D6858F16F10822B09A58124926C6B37675B8B39C3C5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:03.814{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001023722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:02.939{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:05.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0633CFE55711D271E868C843FE5744D7,SHA256=94F48DA69DE9A05756488D6958C40AB92C5F0498779A859D6408007BB9C2F7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:05.254{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70315A386B2B452DAD0CF68E30FCF501,SHA256=7936CA4390D9C189866060C0ED2FD0D59D28C3E0567D6889875809207162E69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000959999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:05.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13A2476DDB7C616BF178308E52301DAA,SHA256=A0F96DEC0FAE2860CC6522B3827CFA02EB4BDC935FA36A176FDFD9A6D906E8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:06.747{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7E2AB1EE522628714CD9E568EF0285,SHA256=CDBE536F2F2EBFC538AC074CA50DA1AC508B0BCAE0A94528478DBB83D8624D68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:04.527{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51014-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:03.849{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58305-false10.0.1.12-8000- 23542300x8000000000000000960001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:06.270{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5884F8C44EB9499148DA2FAE6B428AD6,SHA256=DA2FC3168A54DF0606F043ED1ACE8FAA3860F0B720C225D7FBFEF12728A2086C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:07.763{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2582B93619C114C9DA874A956A8C9728,SHA256=1A58AD5E68887A47D8D09D32C597BC37D6B0A09AC116FEB4A7210E347AAB88A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:07.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF3321750D6CAA25BE448E6E27FF515C,SHA256=319DEA75ED7F4B338EA283F010200A80FEECA0E4616B1915DD118B70ED0FE76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:07.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93212E2151BBABE7152AE67C478048C,SHA256=3E3B53A35AA81B72C9179E88F5B9AF9B6D1EDAF33A5A0C9FE46DE6545A5DF900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:08.982{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E0565967B8D416F83BF85E81C5454C,SHA256=DDFE2BF9240B54473F235FC85E5020E6D179203B5395BD0ABE553EB24C578F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:08.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D376B8257E226A780D8CEF32FC290D22,SHA256=115732FB8CF050497DF4947BF682DECFC4ACCBE1F8DDE3253A46C00280B05226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:09.457{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E65380DD64191C1C226D5A6B695321BB,SHA256=2C38DDD1920C0D044A4DE90EDA7EFAAACD5D4FBF56747E84454DD487F0201886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:09.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80DB48F7E09288D3678C4D82E70B3A5,SHA256=B0E6BDB2100810C62EF97AE1EB69F48F9F89FE68C474A66A0E1DC4DE1FC790B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:06.097{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de49821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:09.404{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49A5E09D65362ACF10B86F00D79FF8BB,SHA256=9E732C64BFB09276000A39024534B3685AB77D75F3CC9AE056657B4098AB3880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:10.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3FE010616702B5F32DA5958AA03B11,SHA256=0071A5273ADDC47587DD2DF971AEF22B7E1CC31982AECFC2D68CC55FE302248C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:10.169{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5B14E182F62806B676D8F360DBF6D5,SHA256=4EB38B7D474067BA38BAD071CC0145A13570166465B42DB22A0AFD44BC1AE47C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:07.759{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56313-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000960013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:11.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A164756A9BF4080E90011078F54094,SHA256=E620DEE490141FC16C8ADBC66C0FBB7DE4391B1A42B5CDB36E7370AA99F8E947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:11.770{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:11.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B8FCF35A5EB4E39B61C19DCC41A009,SHA256=4C3395E3C454E1333821FB69D477380F580AC53B765F2CF12CC87ECC68202754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:11.169{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF0CE8B2FB99943301AC6BE3D8D27C3,SHA256=69AD8329D297C34E789C2C3D52B49712D3B3014B9A0E5E5D9313986CE5C48718,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:08.892{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000960016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:09.739{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58306-false10.0.1.12-8000- 354300x8000000000000000960015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:09.223{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com50076-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:12.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8579C85BC9264E1B13FB12FEE4F0117,SHA256=3DCE0CBB86FED9873CDC3339C36967279C88601F846147DB8AB3DDA0AAE8B8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:12.185{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AEACAB1AA4A7F90D1AA39E8D51CEE4,SHA256=D5E9E45CCD071B7802CB1259234CA4F8F071BDCD08B182E29ADDD4FDBB595C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:12.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55B9659CDEF2DA50621CBA26CFE135B5,SHA256=17BC7D482DA2DCFFC4F3994705A1C315D994BA63B08C01FA2622F15E1C982E14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:10.411{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58307-false10.0.1.12-8089- 354300x8000000000000000960019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:10.373{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54796-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:13.504{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=955EA9F91C88C74ABDEC5B42AB108594,SHA256=83FAE76FF4686751D6D387ECA9404E3A964520EC529BBFEE663E79E3C71ED1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:13.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F54AC72F697C17B60A286E955C1682,SHA256=5CA7DCD49A0BA04E5635D2BB88FC718F8E671D3B4B441455C8EF2D4378B367BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:13.200{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B21770F1C23D1D13362DB74C483370,SHA256=9AC3173ACBB374311EAAE8C034716ECA0E968F3A74DB68F9DA77FE22CB71326C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:10.318{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53998-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000960021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:14.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A779FD14F7ADB90FCD07D77200083976,SHA256=AD31A452DEFB1D03F6D16E181BE775A10D5CF27E38BDDE848C93BB50AD431E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:14.200{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57107A91134B6A25A4D3D153AEBCB0C3,SHA256=A19A9DA145033CE626C53CF11E30EB05C0C079C25789805989FE379CDCA745F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:15.357{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A457AD67BABA02BEB7738F7F314CEC5,SHA256=1E76F66D912E97DCF27E2B796E6FE0F3C0514EECA36061408A50653345B8B703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:15.216{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46E1C7EC7D9DC8DB4C69E4F244C7F0C,SHA256=89D630F63189BA649DFB5434BAFB846EEDC3608135442B890E5FB289214AA754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:15.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4A7ACBB532EDBE143AC9367FC928EA,SHA256=B28344F376B140405DC5D3CA958604A777D6DB4DFD9F0A72254D0C3825D7BBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:16.497{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C63F9B8B6683559A55FE698B1F6A4485,SHA256=4F5ECB3E186D175AB74A4A837B57E6038867693900AAC9F06B37183CD9A43CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:16.216{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DA856CC96C5FE9DD035732F95FCEB9,SHA256=C4078365F3A3E7EE528F4755D077F78F2D50C98802D37C7C28B403A45BFE4A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:16.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E452A426929EB4A444DB7199B53931,SHA256=94F848F31336622097A5E39CC7F40E859D484B907A9B95F42B65091C3A8D3E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:13.859{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-61736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000960025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:17.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9855EB6B8DD6E2C4D0150138B9E8FCD0,SHA256=16BFC7D13ADC214FB9F5513976AB1DB8872BE88CD356B36D647E16A170890EAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:15.127{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52443-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001023744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:15.127{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52443-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001023743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:14.767{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:17.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9115F08AF972CC983D8C42C9B0034D,SHA256=3C073C0F8D6DE46D5492D421F54833FDD3C02C91310DF1A55A213566C025676D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:17.098{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71AEF17BAD57C745216D7D9A030B3B04,SHA256=D83873C052E661B9327445F76E124924FB77533D1673E564EBB4491FAB793F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:18.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD5A29064076CE67E5AFC30E4C3125E,SHA256=949FBB5D58BA5B6F8500CDA6F3E549EC804F280F9629B98D8DB76192F9A50684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:18.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8723CCB27C897FCBB3E2C2C4E7D4EC9C,SHA256=BE2B3AF58B9F9A3223E9877C7FA5702DE56CC57B1531C6A6240F76BB36BB528E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:14.880{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58308-false10.0.1.12-8000- 354300x8000000000000000960026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:14.407{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:19.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2CA6F214FEEED06213B5CA90BBB88E,SHA256=EA30A01858BA6622188B72C454839FD42FB19148ADEE4E38ACD525862DBAA69B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:19.247{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED9DB8F911779150B879887E2B6A187,SHA256=A5233E827D38D07033F09304DF5422B77E22F06D1C50FDCA885DB84E5556E95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:20.486{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4222MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:20.249{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6173B229B53E3A59BEA6ADC6389B932D,SHA256=E31378C2782E9E2C8ADA65F3C33F8490A8BB6C0709053A81D49DFF6336FB1F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:20.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86C0D9465CA669196D249FDBB1E2C8C2,SHA256=2BA2C036ECBEA6F512F5A6535BF95C6E8914C4FC9BF79D1358DDA51AA6C3C685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:20.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA7B08865106D513CAFE5CE29054542,SHA256=0E991988D70D45F6F8A6A8E69963F5CA3D1CDC7600BD0171ACDCD8DDC3379E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:21.428{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D29B0747A81E3559AE442F4A66AEFC7,SHA256=18CA757E7DC51B2390712408E285E8BDAD8751AD7357F0D0A53BC39E137A05B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:21.500{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4223MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:21.265{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E4592C63CA72DBA555F16FFE67CEE1,SHA256=5D634105B58944539A00064F813F24560EF2FD17DEBBB32C6AA383561CAEF89C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:18.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59593-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:22.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983FBC46E7891EC84D4F3E69D98B5E6E,SHA256=1BB7270DA57F5160ABB5D7B3053B60AEC1374F62E85F3B9B50ED2F1F23F84F88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:19.831{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:22.266{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EB04DD39C59F37C2D65DFF3C0CB716,SHA256=E2BA5FE7D54A94E7D4490CF395DAEF34382EA2C0F784AD92697756DAD4D455C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:23.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0939E5509CDA4B6F37244E0C11D735FC,SHA256=E569EBE5EBB5DA09FA7BCD45142A1C3398B2EEC78EE709DA81FECE3C93D68B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:23.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A36CA8E481B8F1C5FE7D7335E7C6122,SHA256=B5CC9A04FB7F24FD34029FD8F93CD5B3F44A0C16F9C53D2AE4AE97AB366B9068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:24.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75654AB7D626D6BDAF483FEEED28CB8E,SHA256=30C95B3A0B29B0D3BF6612FD21A5851EA47B0A31137C154BE38D7C5BB734F18C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:20.725{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58309-false10.0.1.12-8000- 23542300x80000000000000001023756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:25.626{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750F357A7FD541985BB3DAD6770E0F34,SHA256=56991824445C960F19D6544D16A135A1BD48E98743C3D7C4709ACCB69574794F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:25.319{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F220B0548CBD8DBB9D0B99CCA793363C,SHA256=B3AD8BAB62039DD4C38B5B09D1D164B29540E01793A0231BA4F4014E88666B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:25.131{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7749C3970428F49734F3052EEE19E3,SHA256=F0DACF3C8B9C7587877920FE95DCF0B559D54ADB0AFC1A6AE21C591D3860F061,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:24.942{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:26.641{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547C3ECFCD2F11108783B6209B2BA5EB,SHA256=B46B29832574334A164047B5F61114518147FBD4FF353DF12710CF1E79F27D40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.459{69CF5F33-765A-6151-5A77-00000000FD01}8401312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-765A-6151-5A77-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-765A-6151-5A77-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.319{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-765A-6151-5A77-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.304{69CF5F33-765A-6151-5A77-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.303{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC58A94267BA49076E69CE6FEB8D99F,SHA256=66CF895CAE3A9F87DFB6C41DDCF8032ED21BBB55C16B00A58EC7CDF0767FC7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:22.793{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com63031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:27.657{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07BEF3DD869D089029D39F99CAD3C1F,SHA256=D775A80D172F46A9F8256D916D0928414349DCAE5D620C676EF47ABE57878ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.756{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65471A2BFBED3DF9DB5012019C7A6D45,SHA256=753802AB7D7C8C016A016DC462162A3BFEB20DB7B12ADBC603106F02A4D2B642,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-765B-6151-5C77-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.725{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.709{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-765B-6151-5C77-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.709{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-765B-6151-5C77-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.710{69CF5F33-765B-6151-5C77-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24689766E9192FB59AF1F333F00A0AC4,SHA256=9D8966A2DDF1C68AC2C3F2BBFE9125C16CBD0516CD2860D44140740B829E9E89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.194{69CF5F33-765A-6151-5B77-00000000FD01}32483316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-765A-6151-5B77-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-765A-6151-5B77-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:27.037{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-765A-6151-5B77-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.991{69CF5F33-765A-6151-5B77-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BE007D40697EE07ABC8AB37113CD1C,SHA256=B081B13412543E52B35D7DD3F0C2130E100E1BE568B0155D35A6D1C63E514655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.740{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E95ED167DAD57EC37F023FC84FD43AC,SHA256=3CF6FC0BF7D2E657156BD16C65B19B1EA21991464F82D73CF367CCA70741A997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:28.657{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189541439C06A5DA7EE4AD5B2A34B1C6,SHA256=272E70FFEFFA260DD5839F60A9267B1B42EC29B60661866BAD871EE30DD6F380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.553{69CF5F33-765C-6151-5D77-00000000FD01}2492708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-765C-6151-5D77-00000000FD01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.412{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.397{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.397{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-765C-6151-5D77-00000000FD01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.397{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-765C-6151-5D77-00000000FD01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:28.398{69CF5F33-765C-6151-5D77-00000000FD01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000960127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.975{69CF5F33-765D-6151-5F77-00000000FD01}30483728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.803{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-765D-6151-5F77-00000000FD01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-765D-6151-5F77-00000000FD01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.787{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-765D-6151-5F77-00000000FD01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.772{69CF5F33-765D-6151-5F77-00000000FD01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.756{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3242F8B7C30F73D302970B55ED243271,SHA256=CA634FBD464A81A2968A4F89D8609BC9EEBB8A33640A8BA8DE8F7473978822B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:29.672{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7071B125CF6054229E91E8B651C771,SHA256=FA853D9F60E55367034A9CB431BEEF9FCA80C82DBB1D00CF54E34D1E0308A030,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-765D-6151-5E77-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-765D-6151-5E77-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-765D-6151-5E77-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.100{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:29.085{69CF5F33-765D-6151-5E77-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001023761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:27.317{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.103.226.77-49434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000960130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:30.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA7121D2B39108450D61097FF993E73,SHA256=426F2533DC9AB2F8A5EF8C7850B5AD7A1A8DC62C7171F5F2A338FC105EAE0517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:30.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC5FB98B7DC7AE537080E44A2D2FAE2,SHA256=28875CFD4688D6092F6227CD37D8C354087962CC239463EABA891B93882EC3EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:26.709{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58310-false10.0.1.12-8000- 23542300x8000000000000000960128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:30.115{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E629B78F33A4B3AFF4D77C70A3E5EF31,SHA256=E84E068FBBD3B71AA0AD91EBCC123D2D4F52C55FA9095C6044DC7160410BCA59,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001023767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 07:44:31.844{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b373-0x823e42d4) 23542300x80000000000000001023766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:31.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2744F5997193CAF4E572EB27106F698B,SHA256=A47B7BDF362CCA651A289BE25D2D36038635171C981A5E21E24BD8C60B59126F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:31.912{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D1731354A889599DC61B09436D34AD25,SHA256=8132E86803CA802755961F11C4004381F1A0EAF5C43B689559B03E4A3D97623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:31.625{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEB49A831C69AEA5B0324EE834DFF739,SHA256=55332C5A9B9C970443FB77D60BD441EAFBA74985D050AA522B2F237231E90165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:31.625{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B889E3EF39E0542988E2329C85DCEFDA,SHA256=10FCB5083D3EB1BA148EFF90A9F79F1C0D8D9661A64261B2A9A48B5347EDDCA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:30.864{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:32.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2C427776FD14279D787A243961149B,SHA256=FAA99E7592C67DC9E295558C6F71BC3A72C1414929373E9AFF33A7DAC60A4C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:32.209{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C161A61057EE6915299321A4E856818,SHA256=A5B435442C2B3862FA25E1D4F8BA88DA31730AA992EA6E4CB7864D3159D8867D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:30.292{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:32.196{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59861-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:31.520{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x80000000000000001023772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:33.813{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEB49A831C69AEA5B0324EE834DFF739,SHA256=55332C5A9B9C970443FB77D60BD441EAFBA74985D050AA522B2F237231E90165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:33.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E664C6A9293BC6FCA43E80FC21E78668,SHA256=FC97C6E4845D07762F90E4FF398B47CC82F609CAE89A6DCA4A1C3B4FD55BDBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:33.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEF40AECCCE5D21F7E29F3D7AC1A6EB,SHA256=9479705F77F1C3099058176BE1569976DECC815BF40C097728852D990605D892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:34.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C00286F27FC1CA1A70F3F1DC9FB827,SHA256=415AF45F7EA4EB36BC60CB8EDB7CB119561851677577214225B87CB19DED68E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:34.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9EF99D5CF48A4380C03C6B23843DD8,SHA256=608FA48C7CE8259083360C306AEE1700F9463BBBDA698A76972B439B0E86BA76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:31.803{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58311-false10.0.1.12-8000- 23542300x80000000000000001023775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:34.641{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:35.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB906502D8CA5387D901380FEAC59FE,SHA256=38585D952D531F0003BEAC095DA833E1DAA15490B276710FF8EA2462D4CF6FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:35.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB2A00D6673CE401102127056D096A6,SHA256=C3B32ACCE752B0C7205945D71BAD4A2BDF59A696F0FDBB8001D9392D7DEEA9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:36.813{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6853B62E812D1396AA377BBAE71BE4,SHA256=6C8DD8F323569585139F45AC83540586FE593C5A15AB4AD6E044A7AC03DCB1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:36.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDED4600961F344834B573FD738FB037,SHA256=346FAC5F3EFBEF25C471CEE67A445CD2C360F9480E68F73FD82C58DB98B0DB53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:34.317{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000960138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:37.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9A366D6D8B480848C68DF35F67FFF8,SHA256=CA529B4A1C1124A0040F2083541FF486CFA685A521569AFE434615245D545A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:35.173{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53262-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:37.094{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D34F12E072A0A0435EFCCF630F2160,SHA256=C1C034C604E806AF1DE2E2E9851790EF8FA0312D318283461BED0A37DC23B4E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.803{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486E563BB683A120D5DD47579F0F9F3C,SHA256=FEFB3E302C72C67916FB75FBDB9F7C7C53035A5435D89120223180B2F02BBDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:38.579{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D8474A608C6FE87EFE89DA06BBC88F1F,SHA256=ABF6DF3BECB06C54A40492DCFDA450986A974BE9A9A49FD08DFFCF329DADE693,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:36.723{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:38.032{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A57C4460955F00AA7624B9F70E48D8,SHA256=F93187EE52F7DB769FA693187F49008256AA2799D2EEB4AC8BA4CBD59D3A7755,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7666-6151-6077-00000000FD01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-7666-6151-6077-00000000FD01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.756{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7666-6151-6077-00000000FD01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.742{69CF5F33-7666-6151-6077-00000000FD01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000960141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:36.080{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com59245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE13035391FB43CACE5F8DB51BA569EB,SHA256=8671BB8DDA33ECD9CBE971F3C6EE722DA5141E637FD77D5A0B4F374348E448D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4200CC7F2D396E450AAE13A97DB0389,SHA256=27077229E7E5D0AB78B41E039281681A04A8894D1B3B8E28DEED307D094B6886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:39.837{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27CA548D70ED0E69305A259F0B4A021,SHA256=B03E357F9EEF24698DFD863C628FE9D3478757A52068D64EB839F6D9B631ECC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:39.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64004B598B067450D4F05993F145947,SHA256=FF0E28BCA5D3CEB6DF45733CEF112E7A4A2794B24C25B0BD84280C374E28749A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:39.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE13035391FB43CACE5F8DB51BA569EB,SHA256=8671BB8DDA33ECD9CBE971F3C6EE722DA5141E637FD77D5A0B4F374348E448D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:36.645{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:40.049{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588716FAF40121C32CE61F3D3CC27F88,SHA256=692A4D7CC564111D3EEA42E8DF70B0A596054EE3016AB716256C327990631801,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:38.628{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65449-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:37.694{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58312-false10.0.1.12-8000- 23542300x8000000000000000960160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:41.337{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F471D172562F518F476CB08036B7052,SHA256=0B5D2F0E80087A4C6517E18BED083162446A816E37816D32D2844C7EF5AADF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:41.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866BAC2EF94669F2EAB89AED8C0668B6,SHA256=054680DA8763C5F16453DA6BABE8DB16E3E8DB0928116D2A058E365A3D4CEE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:41.049{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFAAE131DFEFE88F30AFB683409EDD6,SHA256=1EEC4DC9738D00480A57B7EB424FDA6259D33EC8F575C1E436F6E388E8BBF7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:42.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECFCC656062D3BA4CDE5A7AC99303A3,SHA256=514A38E2541EEC74CA9A0365C240B8D6D1F5336219C09341B0CE3C492A2A814D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:42.158{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855FFB7B940C96D54BBCC9D7E9D37D48,SHA256=09FAF9E839DE388E2D8A541FC7FC4B6BE2A5AE907A161D9447809C8C39EFEE32,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000960165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 07:44:43.869{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b373-0x89690c45) 23542300x8000000000000000960164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:43.525{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6F0F72A79B522B7CC5CB02BDD83EE1,SHA256=B015F5D3D527C759FE0185CAF88B2DA982E88A43C80C2E61D1420B543B71C03E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:41.834{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001023790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:41.168{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-54099-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:43.361{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6759D653F6930104CF7B5106C91436,SHA256=D1156CBB5C0D7408F7FB8EC413112415AF3B1212AA3F27FDBB7CCA6B69BDBEAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:44.525{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDBCBB7572886BD3DF236EA75AE88D1,SHA256=029BE4AED20BB1CBF4ECC3DA5A421F4907D299BBC018883B0E67C11E891C00B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:44.424{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475ED879E62C5F48A78E17CA4D355C21,SHA256=17CCF0A7098B5E5855BD90D74589704A4D8EFE5066CB79FBC355EEF592890D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:44.189{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3126B38666A865B870E50842347F6986,SHA256=B5227A0810EF7E9337C6B01E6810EBDA2A68B247F9B7CDEBF7A365F121743D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:44.189{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BCF73EA1E5980C1F0D44753F2CC4625,SHA256=5C305F2D2022A48955A76B763F951060480B79F29AEC0C93BE4F10FA7B85B743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:45.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E845CDCE8DCE4EFD713CAD9E64BE14,SHA256=B0BF0DDF35EE4DC42F462FF85A809E35701479B950650E853B7E8D60E7171303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.658{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-766D-6151-6877-00000000FC01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001023806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:43.553{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15-123ntp 354300x80000000000000001023805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:42.457{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001023804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-766D-6151-6877-00000000FC01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.643{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-766D-6151-6877-00000000FC01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.628{5EBD8912-766D-6151-6877-00000000FC01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:45.424{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F0AF8741BD54FC665A78E8E422713C,SHA256=E9063C9590CE3D3AE5AAE4361C01A30EC61A38613C42751398BC2F809C8BEED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:46.697{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A160548B2A5CF1244994A1EC6610BE,SHA256=957F10F4F6173B7C04652944D8ED76961BA1326DDD6B0FA700E53B7F9C646D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.690{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3126B38666A865B870E50842347F6986,SHA256=B5227A0810EF7E9337C6B01E6810EBDA2A68B247F9B7CDEBF7A365F121743D6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-766E-6151-6977-00000000FC01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-766E-6151-6977-00000000FC01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.549{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-766E-6151-6977-00000000FC01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.518{5EBD8912-766E-6151-6977-00000000FC01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.439{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1340A3021CB231A15F99657ECBC4F23,SHA256=A1700BAB17F246332697AEB156DD85DA6EE4470B89C548A73C16519EDB297C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:46.197{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5125D3AF553DFC38CD8050C4B156C24C,SHA256=3A9428CC264F082B7F8333EB6F1EC3EE9B5348766A8B39D3ABBFA4DC047D04F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:42.869{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58313-false10.0.1.12-8000- 354300x8000000000000000960170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:42.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58611-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:42.509{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000960168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:42.508{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x8000000000000000960174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:47.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8DF49333CD2A33A10797294A6A3A77D,SHA256=EA9D897C6062B40F5A2610D87742A1612D4BB9B342DDD4F129836A58F24B8CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.908{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB214370BD51464E788DBCD22144B532,SHA256=11D57BDAF53111311DF1BEF861F0FE8106597E19EC113A4E278090389C8D79AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:46.136{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59954-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001023839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.456{5EBD8912-766F-6151-6A77-00000000FC01}33804012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-766F-6151-6A77-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-766F-6151-6A77-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.236{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-766F-6151-6A77-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.221{5EBD8912-766F-6151-6A77-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:48.674{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2149F0AB9A187638D8C99DA9E736867,SHA256=9203AF0F3628A9A936A5535EBB3A08ADB15DA856C8C21F63EA183DBFC9610705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:48.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEFCDB33F82B04FBFA19A40F6B0A5EF,SHA256=9D3D420F9B91241A7ED8713808E852EE7215C3233F1B2762AEF8262C8A57567C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:48.455{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4BFA280E51DBDE7CC31377244806339,SHA256=1D1532FDF8C7DC33DC5C80AED25805D270E3817B7357D042A0F873DC3C82709F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.741{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:49.689{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EE607D193317F120FDD4CED7FC0195,SHA256=BB09828F0A7F660DDAD04CBDF4E882AEEDB7BF7268265677D582B597C3D4C83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:49.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282EDECDF0FE15179022907E936E2E43,SHA256=4C85D13D6D27F9FBBA5E0188517DD101357E26791E62AD16B7E2BADC4398BD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:49.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25BAA6E3030AD76C8778F9BFB142E5BD,SHA256=4B1884DF42FE4DD214E9BB926CF438C5CF3061B64B08C2083E6094B914693F99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:48.121{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:47.964{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57180-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:50.814{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C8A4421A141C205AE2405F4919D744,SHA256=1294FBE250950B7058DCC51E1C0CE74850C166D804D4C914D8377DB521A39AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:50.744{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F53730E2A5F322A74F07B6E4E446548,SHA256=AE828D45DF3376F6067A29BC1C3A5B52B946A0C984D9267D1272CF65E724E386,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:50.456{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:51.830{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA21A3D5C6E1690CFE9D7351C85C49AB,SHA256=B816FFDE4307F46606FE500388865B00372D9320D66D560BC79858D4D9039FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:51.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE8AF7543A2870FAF6CFB1DBCBEC69F,SHA256=35A66B76C761F303FD6F4EB6EB7720FD22BF44F5E9EB87FCA0DD329759970062,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:48.791{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58314-false10.0.1.12-8000- 23542300x8000000000000000960183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:52.994{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B5E3DF31EC8373E36D353D654DD0E8,SHA256=87345AB9308CF9F69EF904E0A9E0E0866E41B962F4903A98153B54583B38248A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:52.830{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54235A5DC04D0961D26FB047FF304F2A,SHA256=B558418C465E3A0BDE00B4BC7DEFC7EDFC785B0396401B8B9EB27D2E76D1F881,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:49.565{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com55770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:52.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0BAB15C8F11B324AABAE1991724AB16,SHA256=2D7C80E750A6F083A1737EE2EBF459DFEE9D54A350028D4031BBB7CDF4503732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:52.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE5BAE3532C0ACE6C1393D2894D8A3C9,SHA256=92374C1F847A950BA39E4775E3AD09847092BA343A157345ECB09C5900CD2753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:53.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DABA8FFC8A2C50FE8C148CFBA53F43,SHA256=4C0E8C0D8CF10E8BDBFAAAB3208D5689FFA39A0FE320A33E55408CB4F18C7D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:53.625{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4223MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:50.366{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:53.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0BAB15C8F11B324AABAE1991724AB16,SHA256=2D7C80E750A6F083A1737EE2EBF459DFEE9D54A350028D4031BBB7CDF4503732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:53.299{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C675FD33627FF495FDADF1AE1506877,SHA256=FA2262CA6A305B96B3B9972CDF99A16091D4C6874ECDF2331CFD20F826F34B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91877B7CE98B11B6D1DDB9282DCD2B15,SHA256=7152F70B7D521C8824DE83C58999397C993ECFE58FA72D24C4098F4D8791C37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:54.637{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4224MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:54.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AECA5F4F6686C6BA6669913D02C82D8,SHA256=4AD344E7CFA1FD9F07B36FE51F406BFD19193D85EEE6DE21AEC23A116209C1F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7676-6151-6B77-00000000FC01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-7676-6151-6B77-00000000FC01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.814{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7676-6151-6B77-00000000FC01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:54.800{5EBD8912-7676-6151-6B77-00000000FC01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:55.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A9DEAEBE5EDD1C5FEFFAC9B5B3783D,SHA256=A5DE8E9BF733A2E989181F0AAE42FB234D3C2C28875F8DB92A1AFBD6F3A3F6F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.908{5EBD8912-7677-6151-6C77-00000000FC01}3402584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001023884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.830{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C46B8B7BC3554FA61507B61E9C2822B,SHA256=701ED12E4EF60F583E1CB700822A44E978680ED992CDCB78D93F22C476815DF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7677-6151-6C77-00000000FC01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-7677-6151-6C77-00000000FC01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.705{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7677-6151-6C77-00000000FC01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.691{5EBD8912-7677-6151-6C77-00000000FC01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001023870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:52.865{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001023869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:55.158{5EBD8912-7676-6151-6B77-00000000FC01}33483176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000960190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:56.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2DDB406C623F1356FB9CEFE5A3CEDC,SHA256=DD8C36E3D87C43180240E8C2A67159CE973013475B702CA2724F2F1CE45BFAAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.971{5EBD8912-7678-6151-6E77-00000000FC01}44884356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7678-6151-6E77-00000000FC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.752{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.736{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.736{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7678-6151-6E77-00000000FC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.736{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7678-6151-6E77-00000000FC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.737{5EBD8912-7678-6151-6E77-00000000FC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001023899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-7678-6151-6D77-00000000FC01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-7678-6151-6D77-00000000FC01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001023888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.236{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-7678-6151-6D77-00000000FC01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001023887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.222{5EBD8912-7678-6151-6D77-00000000FC01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.064{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE9583AF823E00361CA01ADA6C277B2,SHA256=E4BC549571B46A6455A2D8DCB77338A6FBB91C3CF17419D77ED3D040B8334076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:57.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9299BC6E8908C024303CEA38D61683F,SHA256=F09CDF59BCD53AE903B53293D4FF45E4020CE8CC2B93036DD39D01E91EEE4C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:57.377{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED513B8579EBCB45089DBB4252AD0AA,SHA256=002E19F0EEABE1656E7EF13EAC237C112C8F0FCF7D106F0137041933493FC680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:57.377{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C10B8C2FD132479C83E60E8E880DC97,SHA256=4EE9A5692BE2355ED53447B15A38F4989FA07828CF20D99D1913E177FEC49E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:54.731{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58315-false10.0.1.12-8000- 354300x8000000000000000960192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:54.482{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62749-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:57.200{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E6C62AF207203C0B395AC3304E4DB58,SHA256=928EFDBCAE3E7911788B8F0D050C44C83CAE4C54691B9EF2E2FA3857003982E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:58.825{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D0E21229930079F27540A1843B91F4,SHA256=F5CF66959A2F2BDC984D264962728AA3D723E1687A9B7736F898A755E356BA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:58.424{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F59A9223221392F9191E747798AB68,SHA256=B3AD92342FA4AC9B614F645FE52EC4F051530449B445706672581A3AFD7F5F04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:56.080{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49610-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:59.533{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED796E109D68CD60809621F54BC5950,SHA256=03BD7BF95A0240710D36BB6AB8CB0BF8322CEF996D5739944168CFECD52EDFD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:56.797{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50698-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:56.328{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50429-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:44:59.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ABBE780A1881EE78A74A25591423B43,SHA256=6B97A8862F60C8B7191B9D7E84C6BB1D37BCD22F648E84418DC2E95ED4936E08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:44:58.819{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:00.538{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E7A9A161AAD73549B73110010AEEA8,SHA256=D79DB1C4961CF0667F3224B6ECEC7FEC7D45CCEFA8C3FFC8A781D01A7B99418F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:00.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E45E5691A0524BCF92F4C81BFC58B9,SHA256=38B9C20A2FEAE59A571938F303970EF7D4F436AAD55B70E64389C94E45924D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:00.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E115B3F5EBC9553CD12BE3A629F8C27E,SHA256=E6A7CB83AB06DAD71E85745FA38815E2061665B882D7516A5BF7CB8D9BAB4BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:01.554{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B8D2132D359181EC7016A5DF9C43B9,SHA256=9207B4A2AD8162FFD713B3562B76D516F22FC8641276203BA22BFDE606413A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:01.280{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ADCB698364B1DA477DD0792167A11F,SHA256=8900304610C72E8CF4849BC1A3A43E831DF45D3ED78F0F04F71FB78D79518E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:02.554{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697C7F307ED74C7690A3DF37E5D6963D,SHA256=910DE2BD123F27D6811A7CDB6C07DB6A953239D7FB5A4548BBFB107703232213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:02.374{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E3ADC4910C2F3CD095F9FA83DC0C42,SHA256=9BBB82C3756890F52FE9E1663D2E46608FFD983C4CE53FCCF6281957216D7B7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:00.717{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58316-false10.0.1.12-8000- 23542300x8000000000000000960203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:03.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57D7D4CBD6060ECCB8A7E35FD9685C3,SHA256=EECDB86037B756C3724CBE8B93385DF1A275B6DBE937AAD30155FD7DE32D5D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:03.554{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40BBAEA2F4E0EC185955D16B38F5E97,SHA256=9082F1652E8190FF614B30A8B955675A32212650D90F75840527F770C2169A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:04.569{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32FA01DF5762563B1E28159853302B3A,SHA256=9430C5205911D5179E6A5FE03727EE5D70385FE2DE6F34EE8AFE37B15D1321A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:04.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDFE8B78D7729B2F0DDFC56602EBA996,SHA256=A90C6DFD0197BBEC8F6948A742578C92C03C28A329A332553FA7BA9048B4A001,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:01.411{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:04.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59E8AADCFF8F0B188B2218198EC1D51,SHA256=D9B0FAC8DC43121A0BC84833F4B2EC7104390AF80081DEF64CFD1C922DD05166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:05.585{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4385D084FBBE0B625698AD88DA2878A,SHA256=AB92E94A621B809F961D4333814A60D1B2680B07B5A5AAA8484F1E75F040389C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:03.086{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com52679-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:05.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C03A82D82EC530FF382F0E46B9DDF3,SHA256=87D0C4E49E04421517F2954F1657124224E2C227CE46902B3E0539C015314735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:06.920{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24E4B6E705A0DE9E192DC72006EE06D,SHA256=971B48B59B5E0F4ABE2FAA84F55A9B3B2300F345A6DF2AEC43C34CCA886493E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:04.776{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001023927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:04.557{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de49164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:06.601{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291CD1AEA6B8622D238EE978A5047C0C,SHA256=535CEFCBC5D1FC97A1C026B296EEE79DBBB54F08CC42BBAC8A7CE24A81B44FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:07.632{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53E5EC507203C893389C8CADCF2AEE7,SHA256=A26636FB4658E896FC4C294D0F6E0A4733AADCC551CFC96CAD4C4584E1FA9563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:07.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C0BC248F42A1A112714017F4D9A639C,SHA256=6DA472BFF5C6C3B539BD9AFC3690240CB1252D303CFB411C3E46CE10205BFDBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:07.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:07.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:07.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001023930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:07.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575D6E5B514E254895BCC7507C660105,SHA256=F2B18AA3142EC44C9CD8FBBBA20779B359C153240DA7D9BB9D4B85009538D9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:07.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFDAF6799481581E1A48C1316C718F6D,SHA256=A5C4E7D33352F8CEE8200B3795CCEE9ADFEE1EE5D7DD4102876B763665164E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:08.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E38BC32ED02AF33185A9A9D11ED70C3,SHA256=C69FEBFCF2DCD8312E45DE48F78D228AC89C2F9F4ACB871CBABBF5E6CBB5BCD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:08.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0C6B562C9DB74F22A416489211C520,SHA256=EBC207EEE53051AB66067588CC1D67667FD8D0E02A7FF7A4975D895154E6B69E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:04.691{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001023933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:09.960{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA895D733992358219DD2F8C3CEF8D70,SHA256=644CE62D3161D8380472B022A5534DDDC3FD442E6DDCAF3B4333E403A3450AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:09.374{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718AD1468911353F75CC3FB4E2EEFF9A,SHA256=AB39B2C0D1A9032E9BAF09C35C98D3B7DA6E855E224FEA81F93BE45BCBA6323F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:05.889{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58317-false10.0.1.12-8000- 23542300x80000000000000001023934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:10.991{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4A76AB14AD95FACB85010CE869F3D3,SHA256=1E40019ADC0645C9E1D98ACBC4369309E6831E1BEBA86B4CE539E075434DFE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:10.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6B43ED423947C172D6AC64E21609BB,SHA256=64141AB9B292828B3DF74268A39084F1D3CC188F52B77EB08D5F4DE591D983D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:11.796{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:11.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C735B714B065759A28DB415B4402BFC5,SHA256=266EFC6A9B852A1EEDEA33119F08FBA0D71C3BF1BB5D17023B5DE5D15ADCFBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:12.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C1F1AEB0382E2AF207815AEC1D1E6C,SHA256=CA65EBF6F74E8D6502CCE1EECA01F0BFFFF14C6BB2E458C793A921F892AD64C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:12.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F6E121D609278474C38CD74F1F64622,SHA256=E242CC4C45EFC9D79DAB7F9E8EC315730C81479BE1144B46F52DA658727A8F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:12.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575D6E5B514E254895BCC7507C660105,SHA256=F2B18AA3142EC44C9CD8FBBBA20779B359C153240DA7D9BB9D4B85009538D9ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:10.729{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001023936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:10.701{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59165-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:12.007{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD001D2D3A0CCB5C6A8934DEC960D3E9,SHA256=D36824EE33D33B7EF517E8D0F5F9B492DA3EE1B6B76402360CE5F42090CD1C3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:08.931{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de65250-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:12.077{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A84936D7A277AD70AE12FC0837B04262,SHA256=25782939B531BB799C8FB2DEA039D900A47F1C85D32A12F1061B04865E92A691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:13.796{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABFCE7A1369DF3051B7CEB1E1DB13AE,SHA256=EAE2DF58D0A1BE1A43A6C4D2232C503B459A12310DEF47FD008B1C5781B50B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:13.991{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F6E121D609278474C38CD74F1F64622,SHA256=E242CC4C45EFC9D79DAB7F9E8EC315730C81479BE1144B46F52DA658727A8F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:13.007{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF78258C9CB5EACAE03F9DCA6FEAEB0,SHA256=11ED159C2EDE9FC46598B67597917F11809CD9CCF655B6762D39617BA0B1AEDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:10.436{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58318-false10.0.1.12-8089- 23542300x8000000000000000960228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:14.874{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53C709F10540923A79A6E60A6182DF3,SHA256=B6C0DCB485827FB7A7ADFEE7804895665D2FC76FF4E4E2B0CCC01E2155EBB53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:14.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01352603321927B883938C96BF876F4,SHA256=33B3326F0381E8EC69B12CF72DC41E65E7CC0C0C1F4BAB1C0CABB401C9BAF512,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:11.873{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58319-false10.0.1.12-8000- 354300x80000000000000001023944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:12.352{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:15.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA58F5AB9234E08D123A321E464148DE,SHA256=C77F10B9E1A14A81CC295D8FC95CA0E96CA118F5CE89D29E315684CA8A7CF20A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:15.136{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52455-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001023947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:15.136{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52455-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001023946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:16.444{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0F21FC697588B3BA613C62EBB0011BA,SHA256=8F5FA1E59858D805594B764239ABEFEE3A00ADCF5E605D6BC57C4D1FB172E833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:16.163{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA32F0358BEF2FCA625DD7E2D6DBAEDC,SHA256=3C82C2912BECBA570D383DFFDFA4D296DCC9F8821EDA2464D610BF981CF09B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:16.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E2F6BA74BB1168FDE012802D2B0546,SHA256=6BF52BDCF305BC672DCB364F14881EF8A17B5804C2212C7EA54CF6BFE8DE0715,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:15.886{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:17.226{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091B96965C57B3C57B73D966D21C8B39,SHA256=659AF49DFC0C7145069BA3216BCA65A7009492D3D0F1814F7D7CCF95A878D97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:17.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBC5CDF0C873CA0F831FC2ED6B4AB08,SHA256=229831E60B5AF0CB9E599FB1A201642507619E46C220CD75A4211EEECE3DC563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:18.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0510653204EF1D7FE09DB87678126CE3,SHA256=432788CDBAD2A39A51570DA9F857157238486A3D68E1912D87CC1D0A72736104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:18.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7735EB34411683496821B741BB02E35,SHA256=6DC1733BB5B29BC1C096D5524C4EFC229641B5899810DB155F839F382920C10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:17.516{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50975- 354300x80000000000000001023955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:17.515{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58494- 354300x80000000000000001023954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:17.515{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65029- 354300x80000000000000001023953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:17.514{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56165- 23542300x80000000000000001023952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:19.257{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C043825FDD4917E2B9E04FFDD172591E,SHA256=D364F9906A575982DBD39FB46CC719532C1F161C77B6FAB714AFAFEE7CC755E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:17.106{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64669-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:16.437{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com49295-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:19.280{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C174B806796DEE4F8495B50266746E56,SHA256=3B0C2C73FF3AA03ED89D6978FB41C89251EC0E3683DBB978DA36AD16742A479A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:19.280{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3B6DBC42A1E324D1E553256715D9BD8,SHA256=40A2202A75D059E2F5139D0D8305D5F437EBDFA563F12F2226A30B71D436166C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:19.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D9F0745B2357911421CFD29C49621E,SHA256=FEAE0A912B9C8F5CF2A9F2EAE8D67B89A7305837625008C28C917384A937E8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:20.495{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1637695BFBC09A1F5A101B8C581243C,SHA256=DB93DDA88403AB262B08E800821B2FC4F16420094B4E9EC6094EFC3FD642F066,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:17.842{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58320-false10.0.1.12-8000- 23542300x8000000000000000960237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:20.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841290E0886724B1EA69E8AD26873325,SHA256=4EB9CB06DAFD584B17E2B86C76495AC17C7CEF7F2389446415CB7A3295C3A9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:21.495{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32039C5A671AEAB941F5CA898FD158E,SHA256=B65629D5E778A716D1CB75EB5C00D4BCDB3A3D77C57A39033EA85EC8719E766B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:18.827{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49639-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:21.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C174B806796DEE4F8495B50266746E56,SHA256=3B0C2C73FF3AA03ED89D6978FB41C89251EC0E3683DBB978DA36AD16742A479A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:21.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9683A0679683F16C1FB9EC63BBF4604F,SHA256=35BC2F3662F14728C5D68E2522ECFA5A2D5E9463C04D72D05979C8B0FAB35115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:22.699{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2A2015AEBDD817338739B1284D24F4,SHA256=052C9F5166999D51ECA1FF9C38602B772AC1D3061C24FB10401C415D12F13FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:22.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666462094E5FE5028278D74E95248052,SHA256=52EE0B9DB043FCFE17049778A6FDE3DF30CA7E97B0640A913166F902909EE4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:22.031{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4223MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:23.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665334E945595B9A72CB660817984B49,SHA256=9D3B495642FB05CC310822250909E77367A6873FC7CD2448F557B82DAE45AD61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:23.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB691F935B9BD7FA680825CA21CC119,SHA256=E344B99CF62F997332FC353BBE6D81E6F97EA519DBFDF02EF85D71F275016622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:23.290{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A62F1A46938FE5916082330670C6AE87,SHA256=8711CF6B24AABE8B61A51752CBA9F162AC126D32CEBA05B30111CB67E6288196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:23.290{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F528BCDF49D26F476F525891983E7B4B,SHA256=1127F67F3E9576C88E0413E47A90C68817F3FE808BE9FF471A36EB358E215D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:23.057{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4224MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:24.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75615CF0089F2B40DB15E35FF8F572E8,SHA256=C05AA722BF2C5CF1D8C8F6CC33C7A7D54F19DC00CBD134E4C14E5368ED02C335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:24.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AE53E02AF8CCE130DF7606F953787A,SHA256=7A7500CF666E9763759FA0EA58322697CD0A0BBCB12A9C45B5237215C4F41E57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:21.735{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001023965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:21.486{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65089-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:25.732{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E854F5FE7351A9D555EC28026BE6A44E,SHA256=544E6F791F1497129364D423002D01E80650BCE5791A353C90DFE9A52ABF3B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:25.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C0BDD2710E0FFEA52E345AD650E9E4,SHA256=B27E1B8FFA5F5E763BC8C583DA9B42ACE01CC30C9CC8E383F1085527280831B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:26.732{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76E276BD0697C942DDB05A29A64BD62,SHA256=00335CD5EA6ED80F65E2CEC91F890C07E6F8E74918E97DF218794A49D8F7F5EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7696-6151-6277-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-7696-6151-6277-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.940{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7696-6151-6277-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.925{69CF5F33-7696-6151-6277-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000960260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.425{69CF5F33-7696-6151-6177-00000000FD01}28161240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7696-6151-6177-00000000FD01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-7696-6151-6177-00000000FD01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.253{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7696-6151-6177-00000000FD01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.238{69CF5F33-7696-6151-6177-00000000FD01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:26.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD1E033C2EA7F9DA374E1B694B5B3A4,SHA256=E741889D4A4BD68464D69A9AE5264E952BEB6BC72E0423E67BBEA0018DF3B6AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:27.732{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7F2AA730F9F24E61BBF09E06D2825C,SHA256=E7857FE7C3658A53891BC88B452162B495A1A107B9C860ACE1E6780EEF00A68A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7697-6151-6377-00000000FD01}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.628{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-7697-6151-6377-00000000FD01}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.612{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7697-6151-6377-00000000FD01}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.613{69CF5F33-7697-6151-6377-00000000FD01}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB2253F42680B355CF51668AF55CC706,SHA256=99CAB526BA86648D012EB347DA9EED3A2CD1A2591B2FA6A1D88CE88BB58E7B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9835266D8E619D55EFB9F52C35479CF7,SHA256=59034BB1075884380FDEDC54D090DB481C4665C5DD1A6AAAE03A5C86A53BD434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=834EB3D8EE5E31828B241DCF6A35A00D,SHA256=800ECEA350F44772530521846E9B1124462C522D4E7EFAD3E2697BE5BF1C45A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:27.096{69CF5F33-7696-6151-6277-00000000FD01}36443884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000960274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:23.783{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58321-false10.0.1.12-8000- 23542300x80000000000000001023972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:28.747{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6070298D5CCC221676D45A8D21E35B3B,SHA256=D63654F3AE9DF5D1DC9A8E4C44095C4DA2E9FCA378F6255D927A25F786F5AF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB2253F42680B355CF51668AF55CC706,SHA256=99CAB526BA86648D012EB347DA9EED3A2CD1A2591B2FA6A1D88CE88BB58E7B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43CA03E1D5AE23C2BC26BD9312EEDAA,SHA256=7014C6DFBF49A41F5531827809B06013B564C8E21F0809D80FF4FA26505471D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.503{69CF5F33-7698-6151-6477-00000000FD01}19001264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001023971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:26.751{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000960304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.331{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7698-6151-6477-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.331{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.331{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.331{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.315{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.315{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.315{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.315{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.315{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.315{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.315{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-7698-6151-6477-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.315{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7698-6151-6477-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.300{69CF5F33-7698-6151-6477-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001023973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:29.747{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A0C03878BDC703D6030C4E1F185367,SHA256=959D95C03D7C1060483D9EC8D9F8B20BD7D945E488006569B981C3E951E881AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.893{69CF5F33-7699-6151-6677-00000000FD01}3436936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7699-6151-6677-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.706{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.690{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.690{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-7699-6151-6677-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.690{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7699-6151-6677-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.691{69CF5F33-7699-6151-6677-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151CA8D9F958FFA10AA4E6848F586801,SHA256=91043B17C2E7D17BA16AD6CF251AF58BBF08268FCDE65D798515A3CD2D20F052,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-7699-6151-6577-00000000FD01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.018{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.003{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.003{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-7699-6151-6577-00000000FD01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.003{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-7699-6151-6577-00000000FD01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.003{69CF5F33-7699-6151-6577-00000000FD01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:30.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60C099437E4392BDD0C6C7579124079,SHA256=67CBF69A6890C598981B5AB3640DF89FB379A9C57B84618E12CC59DA33867AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:30.763{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4C02CA05CE120482C378EA63DEA784,SHA256=FC5190298FCD47DF57939909751F681DF89C51C0995D19DC713D1C2395522A6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:28.378{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57956-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:30.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D51B6105E9F010A082B0D9E445F04C01,SHA256=8D8390ECA8D71D59C53EF98B132F17DFB43291395F08CB0FFCA487DE8E2FDFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:30.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A62F1A46938FE5916082330670C6AE87,SHA256=8711CF6B24AABE8B61A51752CBA9F162AC126D32CEBA05B30111CB67E6288196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:30.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD522E18CE4F566E22A585778FCCBA00,SHA256=E4CBFEFA6CF622EFEE037C709FE4E9D03C62619D4230AAF7C62A960223DC77A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:31.778{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DA6390C3FB1CFED8F7A944657138D0,SHA256=30499E39623D1C58816352CB6A15DC3E5B99C02BB6E4791B3FF11ACB218DFA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:31.925{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABECE3B06D981744242A96B654022A94,SHA256=F38FEE03F106D20FF03DA7D5E5FE3F7D0049659CA948C5DBBF5D772BE838AACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:29.571{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001023981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:31.341{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D51B6105E9F010A082B0D9E445F04C01,SHA256=8D8390ECA8D71D59C53EF98B132F17DFB43291395F08CB0FFCA487DE8E2FDFDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001023980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:31.044{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:31.044{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:31.044{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001023984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:32.778{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09861F40DED1F99B7A2C514C82EE722,SHA256=25EBDC151326919E70E53CD2AA26EEF9D9A83EAE14886D6F0DDD85D977148E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:32.425{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56BE16C078C255E319C9205E5F5E5190,SHA256=F89922AD75D1004046A09B71AFD3E669321C71E841EEAED0047EB21AF4D51053,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.538{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:28.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58322-false10.0.1.12-8000- 23542300x8000000000000000960339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:32.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58EA16EE62C643F5E5F7B77AE762631,SHA256=DCE47EA34B0B01E3724AB54AEA367D0CC5C47C78939148855702D76FB3D1121F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:33.778{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8FC176822D4009B415FDA433598FC4,SHA256=23C19EBA2248E10A981E1A13E3E80948351472A8A299022DBFF4A155F0966094,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:29.875{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com62446-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:33.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0401354278109225AE1858A5F80CABF,SHA256=1D86B0F3BC43F4AB60A90845610647F00D0298692C762A9DD38DB452009D7951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:34.794{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B254C60979C8FB0511BCE0D2A12B1B33,SHA256=8871FD6B43C9C6610E22108B7D0945B7528758013B8CA4A59B1965B14F886FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:34.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A33801C710590AA4B88B281A6B0FF0,SHA256=5E08300505C8410D48B7E6BD00DA7B55E73CD90FCC029F3C4C6D778E079B4E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:34.653{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:32.736{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001023989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:35.810{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F239D54F7E38E8B1B5FA7EB6D92F66B7,SHA256=BDF39A0B535CF34C681EC58444AEC2960DC0ECCE65BB0CF886864694A3C1177D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:35.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DFA6CA518F78BA5D474AF45204E6FC,SHA256=0862C3B248E47C48E48456F6D6E41A20AF9B975C3C0E480FF25823FA3BBA37B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001023994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:34.721{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001023993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:34.345{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52460-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001023992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:36.841{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6AE767369821B36A55499F0192B8963,SHA256=498F8D645B6840D243FABE7B092E8AF35ABA0F810F0107F33CB8664CE63EE575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:36.841{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4166B99E74243EC03CD19C393E25BD74,SHA256=1704968F0A86D7D29964EF962126BAD83FEB6C5B60055967C866E3D3EC3CD2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:36.825{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC4635711D9BFC9FA8CE2EBE5F90C61,SHA256=D8717C39C4A4DE11ED6FFFDDA2AF0C4B275AEEAB55E5033C7AEA4615848B4A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:36.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C037D62F49D6D5674DAC22CF5E9931,SHA256=73E576172FEA60FAA21FECC67DA963D9FDC87A1C3CAA133DD098CC0C05CBD94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:37.841{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B06FB65D48B7D5B282B689A17310C8,SHA256=A920DBD670EEB3F3C100D8022BE557B1CB204943B0D1FB244187F7E440636098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:37.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC749DD1854C7871AF5B1D2D38C78D84,SHA256=C5FC22E624FCDEF2FA3168CCFD9DF02B42804E31CE77E87A17B871AE41609B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:37.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73A57E17F2921BABAE0A77148E46001E,SHA256=FF153A1F57BA3A12CE94F851E565E99F8DF24D37447FFE68156465A0E91E1E4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:34.815{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58323-false10.0.1.12-8000- 354300x8000000000000000960349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:34.793{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:37.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE48077C1699B0D26D30B522D55F842,SHA256=AD7173945DC24DFD943F170F11DCA534DE60C833D6921F25059F2E525C2D1569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:38.857{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37AF709ADE60BC38DE144A8E48D118F,SHA256=D00A4D9508A1102A62C083F732A6DC88587B8E894A11CB2748103BF0AE7F21EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-76A2-6151-6777-00000000FD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-76A2-6151-6777-00000000FD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.768{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-76A2-6151-6777-00000000FD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.754{69CF5F33-76A2-6151-6777-00000000FD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:38.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE61BCE7E3BE73D6E44CB468C6674348,SHA256=C76858A4784AC619294946A54F98F8DEDE97E458FBC64CF09D9A8CB55746D422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001023996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:38.591{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=15BCB716C4B1A7C00C98406424770CC4,SHA256=11BF00281AC0460F18C6AAAAEC24306F5E7520F3A44C7F5F966EE104EC9DAD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1CA904A9A56A29A0092802B5DFC464,SHA256=D7C1011FC692C6E9D607108C31B98E387EBF36965A087A02E42CF422E4ED4189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:39.799{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC749DD1854C7871AF5B1D2D38C78D84,SHA256=C5FC22E624FCDEF2FA3168CCFD9DF02B42804E31CE77E87A17B871AE41609B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:39.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5D0383FE4C4902B1C4B1D27D761887,SHA256=4F6C85BE7CE6FE18023DB8E6C6FF55B368B4DBDD6E2DA28E39242C419284586E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.792{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.792{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.792{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.792{5EBD8912-7F2D-614D-0B00-00000000FC01}6242836C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001024012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.682{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001024020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:40.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBE9CAF316FC67D10DEB97937042069,SHA256=AF27FA1180ED0C34F500DD76DDED48BEE910CAB5AEF83D37A9758C897019DAE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:37.957{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59314-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:40.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F5C12039F168185102657BD3AE2251,SHA256=E76A73B4A3D52A3536135664E6744B9F4DA63BD6A8D2F6F1A003DE237A91A5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:40.823{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6AE767369821B36A55499F0192B8963,SHA256=498F8D645B6840D243FABE7B092E8AF35ABA0F810F0107F33CB8664CE63EE575,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:37.923{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000960371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:41.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DD1F4E551DDDF25B95114BB1D186A0,SHA256=B45F7D49A7D9297384DDB6D8F0E54BA5D9AD07908D5BD2CFF4C358B727C5BE85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.488{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52464-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001024025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.488{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52464-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001024024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.392{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local52463-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001024023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.392{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52463-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001024022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.380{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52462-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001024021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:39.380{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52462-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001024027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:42.042{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5EF4DDA9C61A8CA8521920FFD91692,SHA256=90593F0AA517F091413D2CC3F34C4B22B7F5D14120700BEDBAC04B8A293A9BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:42.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93EA0F5C4647149624EE49A7536B358,SHA256=958F20CADAD4C1586EC62207855D90E61E685BAC7111843F5CDAF56369D54171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:43.182{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796A026ED3D7A1D6320F72A0346A0D8F,SHA256=EBCE3078FEEA5ABDA0DFEDF610D1E3D9F97873FCC67E43169C59F68CEEADBDBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:40.768{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58324-false10.0.1.12-8000- 23542300x8000000000000000960373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:43.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67AE7ED0B33FEE603956D11ED54C822,SHA256=71310808B99B108015061F4D4312617B6C158341196D13CE9B7DF1AA6DD9975E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:44.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98E2AC964F4DFD62332FDA7B772A254,SHA256=F3FEE055F4B4F787754D64C0A0EF37118788D10C2B8DABF49C8DA4738A5FED7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:44.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=284D51B1B0F904D7C48FB36C72923E9F,SHA256=8C1D9D79C4FD14379C4D9AC05A46619EB608BE280CD576DA02DE6ED3EB57C5A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:44.370{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB440E9DD0886D93276207C5116003DF,SHA256=9C3DAAA4569F51257189656BBAAA482CC388C83BFA329870EF0023E7AC7EA4A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-76A9-6151-6F77-00000000FC01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-76A9-6151-6F77-00000000FC01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001024034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.651{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-76A9-6151-6F77-00000000FC01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001024033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.621{5EBD8912-76A9-6151-6F77-00000000FC01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001024032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:43.207{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61945-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001024031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:45.464{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0742657B8D309C3FB6BF047DA2857878,SHA256=65DE3C5EED431AA36FB14492427D4DA691998B894D70CA361390EE9D49BD1EEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:42.761{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62397-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:45.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C90824060B88946FFA35750BD6EC6AF,SHA256=782F11973B057088CEAB02F9016AE9EBCE0E91961D83E7E7239B4510E8EA105B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:45.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A581CCF6CE0DD117491FD06ED45A703C,SHA256=DA1DFB7FE6797B8CE23B9AE680B3AE1322A44FD23CF201B061E9A8B56DA1E643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:45.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4766D20A5FC163194F9356D7CC90F3,SHA256=D23A068A201E86340166C70FB6007C163B6D06D7041DEB186837AF398B500DA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.714{5EBD8912-76AA-6151-7077-00000000FC01}35924484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001024061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.636{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1497A91C9B2D1C4BEB1B68E6B54EE523,SHA256=8C7B8AF4A842421D2322A4B87902E2D5869938BE7B41DED707DB49A57F4CCEC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:43.905{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001024059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-76AA-6151-7077-00000000FC01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-76AA-6151-7077-00000000FC01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001024052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.526{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-76AA-6151-7077-00000000FC01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001024047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.512{5EBD8912-76AA-6151-7077-00000000FC01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001024046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1580C19723FAC3E1D1CED9A00B5275E,SHA256=18196A8E2D2F5A6B91BF42E0BCA1266B8F9D019A881FA351FC07BC60C3271DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:46.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2658E9FD50DE51166AA907EFBD754815,SHA256=C69AB163AAB697674087A6B7F289119F99CA8F0F8FB406498B2D1E494BFB9393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECA5E7013B1DB798F87EB05CB293DB5,SHA256=B3DD858A4AB1F2929D7C5F45DE8BB456B309753C40D0AA72FE7CCF2FEC92D7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:47.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666ACA8F6D02E985D7395FCEED02378D,SHA256=0E8CF03EA10D2BBA04F07ED816D4AE83D39B48DD2D086A4798B21515B7D69775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-76AB-6151-7177-00000000FC01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-76AB-6151-7177-00000000FC01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001024064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.214{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-76AB-6151-7177-00000000FC01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001024063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:47.199{5EBD8912-76AB-6151-7177-00000000FC01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001024079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:48.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4577205B493F1C86C3D2D38FE8E97BD,SHA256=35F5492EDCB0567E9198CA776F8004925F0C9517A86D47C684AE01CD78EAC0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:48.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8C7A6F69C6FE5563E5150D01E4022A,SHA256=2D8DC4EC27BDE072666350E81493C95F5BCC4B19A5D65FDBD32D7FA70828FA19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:46.542{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63928-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001024077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:48.214{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17D3FF370592C808BC3E2403487EDE51,SHA256=EA00C8F57B10FAB5D5A771475A7C8F0C237FCCBFBDD0461DEFD87B08B7CD6EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:49.979{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04F5A0DF19441CDFE3D208F9B3B0512,SHA256=4DD098F32D78F99317D0CE4E6D82462CE150B05AC92715041A19B292916E8112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:49.525{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C90824060B88946FFA35750BD6EC6AF,SHA256=782F11973B057088CEAB02F9016AE9EBCE0E91961D83E7E7239B4510E8EA105B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:49.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07AC2C187CCF4E71D24E5F1450FAA1B,SHA256=BCFA62B2B34813DD6B857D61727EBEE9EB3E4F21430AB8248F3B604F7A130E6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:45.783{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58325-false10.0.1.12-8000- 23542300x80000000000000001024081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:50.979{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C16B6F44265CC345D17AF828D726450,SHA256=7CA2B8F3924910AFB8665E824AAE6FD845A2CC8E1C023D8BD4DC165FCB5D5B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:50.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFBFE447CD8F2DA0A80CD8FEF6227D4,SHA256=BD26E92DC109F6A563A3677D7C4283B65915D40C7C2407D38C7A99195BA34F76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:46.647{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com59606-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001024084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:51.995{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E487927085BE0E97386728D9F1325D,SHA256=D61402319E4949507A50E19B968D8BB7A2963D09B9DABC97DC6C49A14B979665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:51.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B466C3E64106648A8FF57DE35A9408F6,SHA256=B82BE60F5FFBCAF029005639EFFCF70868830CAA1B9DFB9D8E377CB2F0424EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:51.745{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8224F97D891DAFB7FAD9CC87E5A583,SHA256=A147EB13418FD33477858C3E77442802FCEF93029D0830CBBBC9947137DB5532,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:49.874{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001024087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:52.995{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649EE77AAB69BE8C4EC5E0B3F216E288,SHA256=FBE4328865674EFCB0DB8F4102DD0130C5333FF09B974B1CD50167E208B003DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:52.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1FD70858438AE328FE4E05BDFFE398,SHA256=1C7F88846D3393164519E0812DCA3B54F210A1CC9E3FD65102A97C4FF82D59A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:51.066{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50466-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001024085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:50.784{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59915-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000960392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:53.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7655E93961621EBAEE5594FE4876AF8,SHA256=EAD6A04309A52F0CAA6EBBCB52E04A27974CA2845C6F6A979B33A049D7275186,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:50.856{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:53.409{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E5B325742DF4D317B1AF589C34D996,SHA256=63BE2DBEBD0515B782FDE8FAE8A8913D2F10A04C0F82D6FD38138C2981D33672,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:52.245{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61088-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001024088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:53.698{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F4A7C75A83B4A81E17BD92E35747B8,SHA256=5450D1C006D586389A9F3AAE7C0CA33B88FBE94283CCEA32541C6C438F8B3012,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:51.783{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58326-false10.0.1.12-8000- 23542300x8000000000000000960393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:54.424{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE296DC4FC6981A27D6FC59A74BD4D9,SHA256=C2F091B200F7D71CF8EB157299A21F6F756BD6B9DF135AE09BA6750550AFF7A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.979{5EBD8912-76B2-6151-7277-00000000FC01}13004152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-76B2-6151-7277-00000000FC01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.823{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.807{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-76B2-6151-7277-00000000FC01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001024096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.807{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.807{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-76B2-6151-7277-00000000FC01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001024094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.808{5EBD8912-76B2-6151-7277-00000000FC01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001024093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 07:45:54.573{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001024092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 07:45:54.557{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001024091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 07:45:54.557{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001024090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.011{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044EEFE09BDF15BC07C55C749E7AD05D,SHA256=AAE252B0FF45E9153DC746D4EB4F315FCE75238814F3C2DD552958EF105A3091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:55.425{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E046B8D133886047060EB09E0B9BB2FD,SHA256=A3AF919EDD598E9D1E623D8FF54EC255A8AC32B7CC8930632502E1870AF868CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.274{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52469-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001024128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.273{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52469-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001024127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.267{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52468-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001024126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.267{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52468-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001024125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.251{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52467-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001024124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:54.251{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52467-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 10341000x80000000000000001024123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.745{5EBD8912-76B3-6151-7377-00000000FC01}45922644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001024122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.604{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F96FFD9A5B7C78C761B3B4D765BD9E3,SHA256=05F0339E3EB9BB86C6C3B0229DFBF4A63989C4C052BC1FF3824F192D8EDE12AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.526{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-76B3-6151-7377-00000000FC01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.526{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.511{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.511{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.511{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.511{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.511{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.511{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-76B3-6151-7377-00000000FC01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001024110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.511{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-76B3-6151-7377-00000000FC01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001024109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.496{5EBD8912-76B3-6151-7377-00000000FC01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001024108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.014{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89278BC0835F175BCA50E3F9F535C942,SHA256=AD4C6078CE754DD29987556513C1DA561B5B00420708887C25AF797E0E97BE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:55.162{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4224MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:56.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A3E0054A8540CF9673940B7C304A0E,SHA256=2488545C2DDE04042AC21AEF2633FA757AFE0A7AB9306EA2333118BDE98A5B10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-76B4-6151-7577-00000000FC01}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-76B4-6151-7577-00000000FC01}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001024146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.729{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-76B4-6151-7577-00000000FC01}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001024145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.715{5EBD8912-76B4-6151-7577-00000000FC01}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001024144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.495{5EBD8912-76B4-6151-7477-00000000FC01}4252628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.229{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-76B4-6151-7477-00000000FC01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-76B4-6151-7477-00000000FC01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001024141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.214{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-76B4-6151-7477-00000000FC01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001024131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.199{5EBD8912-76B4-6151-7477-00000000FC01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001024130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:56.026{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C59623E7435813FDD02045A4AAB2D70,SHA256=8E8C9766C5A092E614A0B6BD56C3EC6C401124A45945108607D5D8F84579D25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:56.177{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4225MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:57.401{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F852BE2526C94243FBC65CCFBB1D43C,SHA256=4201E4C84028F948941B2A58D7AD748D914F46506CCD39714497A092D3F2DB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:57.401{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64EA889ECBB63BBCE9B9E1971E78BDD,SHA256=C73DB23440D59E16CE0733F34E3A105BF17EE9565493137F41DC2B024F929735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:57.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8B6C3D3E94C622FCD04A8E5CEE9025,SHA256=A7FD3EF534C60AF8A2D397D3F49E5494464772A9010DD279F544E1C4F29F66CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:54.480{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-57521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:57.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E2259910C32394F35F2CF9045853202,SHA256=61144BA5C3AC2F9CC58F33ABA902FB4F145C8CB63FDA7610721A1F73EBE375F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:58.558{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C01FDB063E7538F26220820DF6D5F3,SHA256=46C5CBD25D6C073F883275F7DD9F8B3A876C7B77E2ACBD87E6CF0F3AE1B72740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:58.456{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A94939FA04312CB436466E5D39ACCCD,SHA256=EB93D658FAF5D7D0F52688FFDA750C9D09F6A61C6A66B03ED5DC5534D9CCB890,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:55.780{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001024162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:45:59.792{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E258F9BE4E3323870CE6C54AA67BDF,SHA256=ED031FCC825962D097587BAE238DDB4314E6B1C7CB0D402299F01C2520978842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:59.894{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78968750FF4BB2F574C7F862176136A9,SHA256=A5C4A47053CE232C85AD697768AB4ECAEACA2D5B41AE4F5F689F62CAC3A60805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:59.456{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F3EE325D21306F8DB77289A509C2CE,SHA256=342A8543C91DEBCF610A813EB173759E3BF628C9E39457D5EBB3A59F73257A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:56.309{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54556-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001024163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:00.839{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55115BDA30C17E23D20CA418CEE4854,SHA256=30164CD8E513B738AA64534FB726E66B0966A0AC71A74F84B9607D1248D0AB84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:57.349{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com56306-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:57.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:00.456{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BF2813D5022754F0655E8C6FDD38D7,SHA256=3E14AC550C98C662B66EC1515176D9C58EEEBE9C45994EF51A7A38F78E388327,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:58.728{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:45:57.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58327-false10.0.1.12-8000- 23542300x8000000000000000960410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:01.472{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EB2CD22971F2C12B3BF6F4297CFF4B,SHA256=8B209F12AB12B7A177F8F38C710D735555805A520A55029A54C34A0A7939BDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:01.425{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50DA49AFCAEB0FBBC0AC9DF244CFDCB8,SHA256=14F85B8CFAF5D1C6024B64C529389106DBE7AAACFC1D9A4FA9EA8B9FCCB6BE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:02.488{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8FBFD57F116255DCA8BEB4F1FD97A4,SHA256=1E28E13EFD735A4A96136C013A11EE13D9DB69B23E19A109359BB6A3ED220A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:02.074{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8104E495E2D6B29B6FEE7503D268C2C8,SHA256=3DB3EA88093A131686D109417D5DE3D09E6FE6834F9C59A1980244E6FCE0272B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:03.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D62647BE4A227A6DF1575FA1597CD8,SHA256=370097791A5DF76D3B3776A01598E4930E3231B9BC64A0DD26A6DD14B60F6AC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:01.765{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001024165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:03.089{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD0691F09BEB38A16E14EFB4C6E29AC,SHA256=75D9B7F7059CAA91CB99DEBE7AE9F8155CB8AFD366A75549636EAC467254A04D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:01.313{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57405-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:04.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24A95F2D63978649C4FD9DBC43BD40A,SHA256=BB6CA610756A461DB636FC64BDAFD0659A2B677920D5E464E04BD8EF6761E565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:04.105{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3134A6822FCBC827F97E9FAA218EF9C1,SHA256=10F88BEF7F3BF1C7A17AB88CCB0006D97AD54BB0A3BEE2E397D307267DAB3EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:05.738{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4BE74D3AF704EA308B948692A0589A,SHA256=31565C46D07E6B2E8A9C6BBADC817A4E33A1F47DE114DAC407F1C3A7A2A247DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:05.120{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F67333E7ED0EE4207758A4D0F69E37,SHA256=80B9E24120409AF02CDB5DE1749EFD10CFFFF9F56304795C4FC1B3F48087601F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:05.191{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F504C5A9B9DBE166196A87642105F6F,SHA256=236275DDF071D04524D6A5AF8225ECD73D36B4685E838A6E458ECA9FCF9E3D75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:03.799{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58328-false10.0.1.12-8000- 23542300x8000000000000000960419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:06.972{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184809D0AFBA40231502FE481BA29368,SHA256=7223A5555D995A0FCB464998D541E4DCEBA312CF846E2C98A1AE3CDFF71393B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:06.120{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C70423C1380A2D494464717B2D37585,SHA256=F77C8950CE90BA785224C38AA30B15F3F3199397CAA3E75FEDD45E9476FF66A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:07.574{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DF37B515DAD89B6B226D49FEA08FEB8,SHA256=9298BA646BDCA788DFC49CEB124CE67A93DEFC77BB25F1DD87ACE10F24C63069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:07.574{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203D55A906E51C675FD5FA4183D9B3C5,SHA256=8672CDA6226727B43D009F8BCEA322483576AE72A4D5949693AFF5DE805BB42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:07.120{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CB90A4C61675432D3F937DDCE81F29,SHA256=4369111B0224A4FF718A578CB4A9ADC3C27CFFD05135131D94686921D17DAB5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:04.735{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de51342-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000960421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:08.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBDB764EA98B86F5255047152EF600B,SHA256=48258C2CAD9DEBAF766FB93DFCEF824147E31E984B8CAA8711BB1D66E32B85B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:08.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB800E1919B2656C3217AB2C03F77008,SHA256=C6785BC91DF4C02C51A7E06980DC28B030FBEC128D471A9D1C5856A0911E27A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:09.441{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1D12FC5D406C61C486484429925DA6,SHA256=C891EF6F6CFB4C28B4D6AF783AF4A0324FA65FD534D64E957829F9ADC4E47715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:09.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DF37B515DAD89B6B226D49FEA08FEB8,SHA256=9298BA646BDCA788DFC49CEB124CE67A93DEFC77BB25F1DD87ACE10F24C63069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:09.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFC7AF0C5F64B73A8933A6E2528BE60,SHA256=961F67F2B45FB6CB85494F3F93B684CC5727F1D2E41D62CB5C2D6A4E17D3AB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:10.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF2306BF529647079ABE94FE1DF1AFA,SHA256=1E15B5FA7F03FB5812B9906EDE16D9EB7382160DB9D5F84CCB9698CA5735B39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:10.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DE03C510A4860C22969B5958D5AC11,SHA256=65194B756DA438C3892EFF7A0C7EF05A34FEAF8F69EB8C6BF5F81F97D0E1056F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:08.120{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001024178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:07.820{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001024177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:07.781{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000960425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:11.816{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:11.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01236B10BE8F2A00D50653EECB615100,SHA256=5E873C9694E1230AD2A26207CB3952AEAA418833D9F9BFAEF6D80B105B455073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:11.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F971824004CBB596CCADA45164C15F00,SHA256=F1B223BCBCEB8CE8A7D4DF679DC93D2DFCA065DF083928D1B9D9520655657974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:12.613{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58D09541E58DD662A6919F8009E0A1B,SHA256=49D49801AA1550AC69208C537FDA9F95582A38F1A0AD74EC02C86F38E7B7866E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:12.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0C01F4F6BC877A3ABB72AF690EA7B3,SHA256=4D15E2F8248CD4E1D5DB5A60FA6E2233DDF0A3A26AB2EC6F5F4E71F1E18373FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:12.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24EC726938920EC91BB5C45A2D798A66,SHA256=5E5728985569B4FE5E5920F419F188B11F90716F3F7D7B6BF2D01DFB23945D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:12.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C59941D8D0845E2232B61D9F9E620CF9,SHA256=566CF91DBC5BB74BDE6A271D146256A9A1A58F6F5173429245F9C81905E8C6C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:09.721{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58329-false10.0.1.12-8000- 354300x8000000000000000960426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:09.467{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com51490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:13.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276C0AE99F947F1223A0591A6A795AEF,SHA256=B341FF0D9DDEBF5146A549D6B6EDCEFDB46A4C9E3AB008B38149A0A246C7D85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:13.167{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30704089BB3A82DF8A22C6FE46635A2D,SHA256=902119BF8CC424C978339CFC63CA8446017A051E12331E1CB2E1E8057F478924,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:10.456{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58330-false10.0.1.12-8089- 23542300x8000000000000000960434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:14.878{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24EC726938920EC91BB5C45A2D798A66,SHA256=5E5728985569B4FE5E5920F419F188B11F90716F3F7D7B6BF2D01DFB23945D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:14.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571D06AEAA078045D7985C49B1E47848,SHA256=86C598B7F3136D8AD7102AB70F56452E6CD25BD5576FE23E706F89B50554D02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:14.167{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CFC1B1979012BAA7973918B5570EE8,SHA256=AD374221764C8D4225CF6447D522462DB1FF0909EE5FC26B97ED3D5100D8C7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:15.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2D80196B9CF740DCFBD877E9D467CD,SHA256=C3818BEDA3139443F2E06B844D583D06839640EFAA1987D3740631177A4B3629,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:12.921{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001024185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:15.167{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C65E88EFCDEFE78F7EF66BC6D722828,SHA256=4B7C68D5FB1D83744705009996175382FB0A3B952053A52392EF6F9111CCF0A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:12.377{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com52144-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:16.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E8C88DC5E7E20ABFB9B245864D56C1,SHA256=8BE243A96FA9C04DF7C4B8DB6CD7EBF31653B0927820255E464C27E9F6B551D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:16.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18566F3ECF85D97EA0CC7DA7F745B1C4,SHA256=2C11FC9274224F52C5C8214BC58BBC994CB25F92295BD90EAB44436930499021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:16.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E479F2A1CDA167A2A1BBC6856840478,SHA256=D7DE9AE7B4574C2B6CC28D604FDEF2CD742F68A5A8EB30BFD0DC342563B1DD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:16.183{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FCE3D05EF992898F0B83D3C6A34B86,SHA256=5C370F5022526581C0766A83C57886E0D77A35AE12E541A4C44BED6C6562B45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:17.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473D958DD85A40A7D5D6D8894F8A54B4,SHA256=7F756E34FA6280CFAF9C8D61B0F4417C071DC039840507AE8D1BDCE43902EA4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:15.140{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52474-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001024192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:15.140{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52474-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001024191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:17.605{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18566F3ECF85D97EA0CC7DA7F745B1C4,SHA256=2C11FC9274224F52C5C8214BC58BBC994CB25F92295BD90EAB44436930499021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:17.199{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD852C3D4A54EF7183616B2F46845E3,SHA256=7D558A32D06C1D1AF45530FCF4F92A0901E43AF35BBA4BC94ADF1A611D4D9E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:17.488{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10008235ACAA611EEB46E242CBDDF2AE,SHA256=9833FB9A4C0E286B9DB19DC1CDBAFD3DD1453721D18AE140626E8E82D96F7119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:18.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7F6A5C468FAC933FE437CC89BAD11A,SHA256=E968308D2759FCD549CA2279ACFB803A61EC8FFA7C6734D7954FBC86A414A048,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:15.983{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001024194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:18.199{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDECD19C8EB8434CE107F59214D207A,SHA256=E089A6FCF366739422F83B295A2801C2E9562BEBB644673C73B6BE791BDAD02D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:15.475{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:14.893{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58331-false10.0.1.12-8000- 354300x8000000000000000960440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:14.803{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:19.679{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCCFE1F69273BA65465CF076B6F3B5FB,SHA256=AE4D97C890644DB8F7F9ED6F75E28A754FACAC8A4B578E17DAB88A7B6B5D9356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:19.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9963DB5DB64F17F5A34577BB67BFF1E0,SHA256=7A6113B9864183743F28BA116EE22497471A376493969EF92C4C821A72748F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:20.914{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A0DDA9D92971735157DA4B42E33706,SHA256=F70FAF2DFC1DD71AB5102B9DDF0FFCF213360D8276E8B5AAFA843C20693B24EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:18.828{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001024197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:20.562{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59EF08CBD62D972ACDFD5E885C27CCC,SHA256=D849793F30EBB3F5549498EDC34EA211EA4465E5AC9681B0003A71B2EED9A154,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:19.975{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001024200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:21.781{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07D5E0C36B865F64032AA868796CE7D,SHA256=7F3F5B34D4F7EB2DD979A9E817B8F9C0C3078718A6D19BC635ED373141AF212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:21.641{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DD43F127AA3BCC77B536924FBA57769,SHA256=2D08C0B7EE490EC95B8A2FB74D4ECD46CB01C61AEA972DE07220C654E885678B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:22.938{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F6614DAD983EDE9BD028FE3839C201,SHA256=87DB53F6B6F85D1972CE07F69E99D81703587CE2D5D3B35DD57B55AC052C92BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:22.148{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60F7493DAFC777113D6223764B4C5D3,SHA256=D90CBE1E026D3F4CCAB7DD10261B9AD93D3EEA70FCADEC7B177EA2877196006C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:20.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58332-false10.0.1.12-8000- 23542300x8000000000000000960447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:23.383{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3E07146E2590D15EDABDF1D91CBCF0,SHA256=C6501DC445AB1010A60A144C2A593FD0511EB001E8B0056A0F2906762624CBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:23.581{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4224MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:24.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235D7C1AD74D7A00C979B79A2873DE88,SHA256=21346B54170D0FA4B0FD4D79E38A768B637C1949CF1E2923DC3B635800EE083B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:24.596{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4225MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:24.173{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EFED1E75C0FE45DAFE30C82EBC2DD5,SHA256=44E22A6460B62E3DCAB601607B1A3319C99DA6EAB7991BDF21ECC82DD0F89AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:25.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9844443E8EABA31BCDD8DCACF7F8180F,SHA256=8A6BEAB9AB5E0E5BE61042E49A02DA380C788BA00C671CE1C810A3B0F6B7BBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:25.253{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818340AEFB08AF922A1F6E23B98582B0,SHA256=18C92E5D905502D66B36933828CBC602EABABBE909AFC152A6FD186C9D4C41D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-76D2-6151-6977-00000000FD01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-76D2-6151-6977-00000000FD01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.961{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-76D2-6151-6977-00000000FD01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.946{69CF5F33-76D2-6151-6977-00000000FD01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5953B449C53634AC7A34CFFDC85BF3E,SHA256=04BC3D7C2C6DBD1E16199E0CE2EA433917A51219A5E71CF5DB730F33509BB922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47156394F75D8A612B4A034044038590,SHA256=9FEC003C67C1B5CD2C6B2736B8F338D0C25574EFF19CF30811B9EFC6BDBD19A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:23.796{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55062-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3977927010BC406E6F127976C1C129,SHA256=0289686D28D104D48E80616E4A6FBB838A9EAFD3A15F4A44D7719A3B787B59FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:26.300{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5B74432C54332844B6E1C5A413E1B0,SHA256=C3DF7B519310FE6BF6A9961EBBA8E35B8382BC6B9467BB82165C4ED98A21B37D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.445{69CF5F33-76D2-6151-6877-00000000FD01}8281252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-76D2-6151-6877-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-76D2-6151-6877-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.273{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-76D2-6151-6877-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:26.259{69CF5F33-76D2-6151-6877-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001024210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:25.038{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-57256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001024209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:24.836{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001024208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:27.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB10F7005C17FC39A1845CD4120F723,SHA256=958D442F2B179E3E63CD3FB887997D88D6C950A4AC424177C6C9011F9840C0A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-76D3-6151-6A77-00000000FD01}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-76D3-6151-6A77-00000000FD01}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-76D3-6151-6A77-00000000FD01}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.648{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.633{69CF5F33-76D3-6151-6A77-00000000FD01}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000960482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.149{69CF5F33-76D2-6151-6977-00000000FD01}6523324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001024214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:28.566{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822C8A832D08B05BC6150105209B2F06,SHA256=3B488C5DCDD8AD40F4279610F333028985906BDB54E044401CAB9098AEF0F724,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:25.835{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58333-false10.0.1.12-8000- 354300x8000000000000000960512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:25.811{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.243unn-212-102-34-243.datapacket.com65040-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000960511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.539{69CF5F33-76D4-6151-6B77-00000000FD01}31763052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-76D4-6151-6B77-00000000FD01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-76D4-6151-6B77-00000000FD01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.336{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-76D4-6151-6B77-00000000FD01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.321{69CF5F33-76D4-6151-6B77-00000000FD01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC07783A676346CAE33FF6092538C75,SHA256=A4C064C7B159368FA42DB1FE0D34FDB2C8FE21D5049D1B0C5BB3B338E96BE8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5953B449C53634AC7A34CFFDC85BF3E,SHA256=04BC3D7C2C6DBD1E16199E0CE2EA433917A51219A5E71CF5DB730F33509BB922,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:26.495{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62350-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001024212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:28.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00429E483069787641A686FCA5D385D7,SHA256=ED30B75DB91B8B72CD63AA07ECF9EB4EC36648D9B0383F65C3DD835ACD477503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:28.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C427CEC4F5DA7A45509F80A37913BAD5,SHA256=BFBD86D0148AB8EAA059C5D0627901D0A82E6E91747718402ED1F6DEED0EF340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:29.566{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834AF953E5929D645EFABEADBDA12DC1,SHA256=A3CFE2786C138CAA9C4F077FB821E1D6F95E46A129661389B6AA231222306B47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.883{69CF5F33-76D5-6151-6D77-00000000FD01}36562996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-76D5-6151-6D77-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.679{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-76D5-6151-6D77-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.664{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-76D5-6151-6D77-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.665{69CF5F33-76D5-6151-6D77-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CFD725BE0C679DCB68067A90FF7D856,SHA256=3BC425899D0BEAD0304DD929D9F163FDD66D00D529230571E59F963D1F84B47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09C53CB1D72BA3C3D31E5E0593C17FA,SHA256=E2E9FDD581567315714DBF2E7F194C63B4B132F34B8F52A20B7C828386DE6F61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-76D5-6151-6C77-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-76D5-6151-6C77-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.023{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-76D5-6151-6C77-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:29.009{69CF5F33-76D5-6151-6C77-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001024218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:30.613{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638D6FA9042C0110AD9A55AB45112CFD,SHA256=53E0B3A3D39465935AABC79DFA2628ECB5EE6C5D735E4BE48626B793E79847B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:27.984{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:30.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2623F3FB907F441146547467F75217,SHA256=97ED1685496DE4B751DC9A40A6B54DB12C71FFE0D91C2BC5AC68DF1C169EAE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:30.383{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06B7701B68B27464C04E5A22B1B1591,SHA256=5FDF0BFAE7D084FB8BD5216FF74C78C678001EE67E9535B450AEB17427C82C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:30.582{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00429E483069787641A686FCA5D385D7,SHA256=ED30B75DB91B8B72CD63AA07ECF9EB4EC36648D9B0383F65C3DD835ACD477503,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:28.957{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000960548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:28.306{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.237unn-212-102-34-237.datapacket.com36195-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:31.930{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DC35E50175EE6FB067D6B1E5B754AF1,SHA256=586DBDBB199F8F9C986A09886E24BB38997983F89CCDF936DBBC655DEBF4D463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:31.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF5B12AD27B281701B524FEBAAB13CD,SHA256=8A59270EB46FC5E7CEC10C2856AD5C0A6253AF76D47673D7D6A1690785D14BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:31.894{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C0258C67FE9DA5D459EA6D29CAEFB5,SHA256=61666A4A1FC115D15CA5B5AC06FD3015181C5FDC4519E0AE300F15DD3D3B4FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:31.644{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331E160A1066F5B7FFB0189EB377E6C1,SHA256=4207046239A7B908BBBFF8DBA88DD8EC4AB15EFEC20DF744125CE0D191A96639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:32.789{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F39462255544FEE2FA4D8B1564E3A86,SHA256=6A1A598CD8C76F0BE1312328D391EB52B7363B52F190F8D961C96F2A9E09BD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:32.644{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3229BB45F140AFC43298A2D6690953,SHA256=30D6FCCD99F2D9C8AB6625F7AEAA0D017A402067DE807E2924BD95F20B9635F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:30.963{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001024221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:30.836{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000960550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:33.836{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B6DC1ADB12968C425D34F1EED37B42,SHA256=4A35032F61BCFFF76C639018EC49AB73EECA2C53AC0FB9C25C52DE9CAF1FB74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:33.753{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3EA84250F451130F741F6B6AD5B5B5,SHA256=3C1BDC923037497FEDB860D7D77EEFFD5C0BFB46F02C11AC57A69B5E9F62DD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:33.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7023F1B83D34F7F65FAF3AD8AAAE8663,SHA256=946C51E0F2A3D0568FB1A1D899CF6B1A58400A71AE0A093B881C9F1411C18A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:34.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F449D6D318506E8AF757BDA305AFF045,SHA256=416B9875527C7DBFDA7D1C9BC0BE54F4C18953A4BF5A040CD5325616213083CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:34.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAE827F8A4430373ECC657675B115A6,SHA256=6B9E82D6D2310E040E43C2AA6013905436F773E67A94EE758028978B0DAB7F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:34.675{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:32.140{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001024229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:35.910{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A6BC24F29D2250C1832CFAB7EDE68A,SHA256=039FA8E67EA13DB6D3782056CFF3BDDA54515D3E8916CCE160B2CB3F81465179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:35.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360F4E7A54DC84E4E70B618838CA2433,SHA256=5FDCD5977DB78D86A0F6BB3AC8EA899AC873A567CC0FBBA7EC0004AB488FB8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:36.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E846120E1A4A00BA7898FBBC0AABE05F,SHA256=69A0C215F8D28A9967D76827F806336F46CE66CC77027A8F8829A301343F6E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:36.785{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AE879A5FB5B822BCFD7A2714AAF2C8B,SHA256=6529FEC5F07B123EC234D4649383571D90E4A5B26F1EEA1940C258B055B542D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:34.876{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56147-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001024230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:34.351{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000960553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:31.757{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58334-false10.0.1.12-8000- 23542300x8000000000000000960555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:37.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3648E6261D5720D9E2C2240CCEDA8602,SHA256=8C4EE7C6A8B674C4E603DED3B104E40B4D0B6CF47BAEF3FE91822130D08EBD05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:35.836{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001024233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:37.097{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E596FB828AB088F57D4BBCA3E585C4,SHA256=69A4ABF1FFAFF86FA5A17092D6DFDCB5C3FA4CA9CA0F470AAC18EDF9165F4254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765A9A022E2EDC94867BD5947016F93D,SHA256=B7F934ED7A6DF46E509FFE23D7BD25A9780AC5D86C39ACF68910C0DD1425BB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:38.597{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=759181345E25C7A827B5B6789B7CC1EF,SHA256=16E7C837A6707CF873AC024A6E92E73CD900B3440C935F60000FD3779BF1DA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:38.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E2C60CA2B0ED27C9D2730DDF1A75CE,SHA256=0B8A0A53C7EADA4636ABA06CD9AE4775AD63ED6A34DBEB5DF9C81912D2BC277D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000960568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.805{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-76DE-6151-6E77-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000960558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-76DE-6151-6E77-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000960557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.789{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-76DE-6151-6E77-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000960556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.774{69CF5F33-76DE-6151-6E77-00000000FD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000960573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:39.934{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD3418C0451D484ADB0223709BDB9D5,SHA256=B0836A113B25A3A042E04B7D91447F5267ACA0B072927B8C79AD3F49FD4A532D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:39.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CE80C3CE380E6513AFDA9D1A03C522,SHA256=312FE1730913024643CED16098B24316CAC25549238AD404BC96448217EA82A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:36.252{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62874-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:39.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B623E3BFFA9EDA5078BAD75BE73397,SHA256=20CF2211CF2DBE7AE373DBE34F56632C5CA99FA1BFA688F1DFCC73AD75FBB828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:39.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51B51E00A1646BB771DFA2BA89B2F919,SHA256=E188707B1E164DC76484DF66BBE026D8F9D9B9C15739922A10A354CF73E43942,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:40.629{5EBD8912-7F30-614D-0D00-00000000FC01}8884164C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001024238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:40.348{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC988044CC0E515025734C709E186B9,SHA256=5E41E2CB8D7FF0836C0C74BD82122CF73EEEB302AD71C8B39DC3E08E8C6CA556,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000960575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:37.757{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58335-false10.0.1.12-8000- 354300x8000000000000000960574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:37.310{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50067-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000960578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:38.544{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000960577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:41.277{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B623E3BFFA9EDA5078BAD75BE73397,SHA256=20CF2211CF2DBE7AE373DBE34F56632C5CA99FA1BFA688F1DFCC73AD75FBB828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:41.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD2184459B7620EB558063AB40E3F47,SHA256=8B33ED074D3F8CB930D581EFE7A075D30E5856D3678127392D1255B9635FFC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:41.348{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8CB1CFCFEDC3CA4A77BBBBDA1273FA,SHA256=7E315D1C208B370B05AEF85D9F120D072D6ACB845CBEBF2C64487E57FA160893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:42.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A78FF01FDC25F486F8E1C735EA6242A,SHA256=E99CD6B2B674BD2296CCD8F768F1E39DBFACB69C96CEC5BF87023B38425608A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:42.363{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAE0154FEACF8088C3FCE7A3352F17F,SHA256=D2A67D04849166353A68A6464CD385E63682A7CAB2348AEC2FEF5A3F58EE4E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:43.363{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6718EE6513CDCB7A747A076D2E8CC79E,SHA256=996634B683CF257D9EF50876F67A4555E4DAA2A1D13243C8D8EB799CDA9CFC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:43.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55C98D0B4796AEE36B049636514BB12,SHA256=207B49D8DC6EE5BD10C8288633E322473284EF175CAC2591D482AC6E75E49820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001024244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:44.379{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69585E7EFFC5EF011A89E5EB15444D6E,SHA256=F3F1A6DB687805888862F3C35CF703EE1E58CAE94C8160F3194CA8BCFC578966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:44.934{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC0728AADC2AF865D4D8E421FC89EC2,SHA256=E6469FE3FAF636DA9A7DA569724279363A6CF43F65AA0A0968198A1AC8A34DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000960581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:44.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB2D1BCD53547B17DE37E255384E3B0,SHA256=84E60F33B928AD167FD537297D5E0EEFFF6F5B7342CF84D09CF4199E81512919,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001024243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:41.789{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000960584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 07:46:45.715{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFA93503CC9589F3EAB6A9BD2704F9E,SHA256=2A436340DEE0BF67B591D3ED294B7AF198D523B5A8AF7F92C5AC4DF9A295B154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001024259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.832{5EBD8912-76E5-6151-7677-00000000FC01}45281292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-76E5-6151-7677-00000000FC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-76E5-6151-7677-00000000FC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001024249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 07:46:45.629{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-76E5-6151-7677-00000000FC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwa