23542300x80000000000000001444927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:51.285{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFDDD6F62CAE9B54FAB9129FEC99FE1,SHA256=FE6BA738CDD5E87297C7063F2160FC50E547CE313EE7B7D600DB3533CDFB4F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:51.167{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0F690D6D0D3C240AADE92311C672AD,SHA256=F4E192A693E2A4EA846DDC142EDCED7FE3F8643BB4EE0E6710A8CB4952CD18F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:52.333{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96947A72F640AF3D562BA630185CFDA4,SHA256=F08A37B6E855EE998EBCE8FCB75EDEB32ED0DCD656AC07139FCC504C624DDEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:52.182{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C812F959811D5FDDE076C18D6896BF1D,SHA256=8AC1A63E4808BD83C5F74344F76821906793AE4355644E5EFDF9B0A94660E5EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:51.727{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50701-false10.0.1.12-8000- 23542300x80000000000000001444929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:53.348{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEE02D1557FA9D21B2A4DF38AE95E33,SHA256=82BFDA7B81A88FF5550FA0C98D25F0979734D8B29057FAF2BAEFA740E70D2291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:53.198{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD768E529049765D59731DA52B50914,SHA256=4A91DB4E6799FF2DC117D5175CC3D63974DA4B9EA60D298FD08FA1861121E0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:54.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43806213964881635817E77F1DFE970A,SHA256=BAC1E13E70D6D61522C80FFD76E27ABD08260E8CAACA4812629D440F93E73942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:54.214{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279BA538B1107A6D6EF8B019F2284AA2,SHA256=B57C8FD1FEE546612430D925AB345882E1F9C767BEFC389A71D7BA19DB9E80BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:55.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57408EE6C509474EE89F22E4DF4D2396,SHA256=76BFB4C1A7F8FC56DDB6B48CD56D5559BFB573572E11ACFF6B6680DFDB6C3CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:55.214{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AFFA525EAB03A5E6DF0C400070C89A,SHA256=09C61BFA3816B29E0722F13681316D509AA29C7D75307BBD8A9DB8BCB751D6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:56.395{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A2742D70FFA2FB043F58FE08217D57,SHA256=765C4D47BD11E21FBFD1F0DE430CBA4C5890B19A308713E733E3E2E7D6B55F66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:53.358{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:56.229{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819F5EF8C1CFF4C3EC6665A8961045BD,SHA256=D9690E5BC39E536E713B00BFA290D4F1AC5CC46590ADA3CD040D03607D3E4896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:57.395{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD8A2B3FA6A74C23859CDA2FEC677D1,SHA256=77A9C3DF44C5CB8E55D3479BDB7670E65711EBABE766A9E6EE1D2FCB5C21A0F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B0D-6154-F302-00000000FE01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B0D-6154-F302-00000000FE01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B0D-6154-F302-00000000FE01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-2B0D-6154-F302-00000000FE01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA980F9502085D91660ADE7111F809FC,SHA256=C5A69CA85B3D690E8D0CCE717B6367FB4F39B90552EB232A4E81662A263DEC8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B0E-6154-F502-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B0E-6154-F502-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B0E-6154-F502-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.981{5EBD8912-2B0E-6154-F502-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B13EC9BBD5BA331866509AB442BD2B94,SHA256=93696397A95FFFF5D0047B990737F6F2BA2C9BD0CC71E58C5E50FDC074A9E252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82CC2474BB44ECC153105E618CB144F0,SHA256=B2973BDFA0396947F6E9F067526D9907F7C3898F85788D675800813C2F9A1482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.651{5EBD8912-2B0E-6154-F402-00000000FE01}19404308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B0E-6154-F402-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B0E-6154-F402-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B0E-6154-F402-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-2B0E-6154-F402-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6D8E262BDF26DCFFCAE611FC10974A,SHA256=3A1CE630D916B5EDC95297D88236B774B291BB8EC56FA45E8CF98502D5AFB8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:58.410{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CD0BA7D8D54FF911D7E53088DFCA42,SHA256=B6F483DAC8718374D95F1FA3790D3A0633272D548714354AAA1FE776226C65F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:56.898{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50702-false10.0.1.12-8000- 23542300x80000000000000001444936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:59.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A34D9EC666553E909D2C56E4720D03,SHA256=1CD6F2F6F4619639912C42BC02109920996CFD26F7648E105D144BDE8A839B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:59.979{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B13EC9BBD5BA331866509AB442BD2B94,SHA256=93696397A95FFFF5D0047B990737F6F2BA2C9BD0CC71E58C5E50FDC074A9E252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:59.260{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D09867DD113764B991B5029F4E93A9,SHA256=016CFD4B7325ED0E56E15AEE7924481A4A1D7A02B33B02F61A121A638F56072B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:00.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3684F80DF4CF17C0A55A64157C5D30,SHA256=EB18709C6DA0D8BCA532B9526F8C5A3628C66CFDB747C32678689D70E5EB5171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:00.260{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622524CDF4AC04FC658E5777B59B9FE7,SHA256=455D4E051C1F8CF6B78E4FC679B93521ADA183BB48ECEB20A4E03DA68B38B063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:01.457{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2DA3960E8C1B3C6254F906A158F841,SHA256=45BA3AA1B43F7E6914F7717CEBDA92052E1FB80131C4668FD01F1E8E0FF4708F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.698{5EBD8912-2B11-6154-F602-00000000FE01}2201140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001539821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.406{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001539820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B11-6154-F602-00000000FE01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B11-6154-F602-00000000FE01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B11-6154-F602-00000000FE01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.480{5EBD8912-2B11-6154-F602-00000000FE01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.260{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55107BA5F06709209DE930690FFB9D9,SHA256=DAB18D193DAA8286F68AA1AD256D71B7533FF13143A081CB86F4E3423021D3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:00.995{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C2BBC39CCE3E57430D43CC929B06C16,SHA256=925BFA77F5BDCF0B7DF13FBB387DBECEBC0BB31780D6CDE10492AAA254A0BDFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B12-6154-F802-00000000FE01}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B12-6154-F802-00000000FE01}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B12-6154-F802-00000000FE01}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.933{5EBD8912-2B12-6154-F802-00000000FE01}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001539835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.651{5EBD8912-2B12-6154-F702-00000000FE01}56124932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001539834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:59.280{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65046-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001539833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:59.280{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65046-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001539832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.479{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93C2E9784384E681AC2558EAEC3DFD59,SHA256=B3B6897BFB10F2C3DA2875EFAAFA94BEE769557DE65E3285A7728DF35CCA61FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B12-6154-F702-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B12-6154-F702-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B12-6154-F702-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.433{5EBD8912-2B12-6154-F702-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.276{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA3089B8F31A421F0B06F911EE99EAA,SHA256=5A706131E245F697BCE0FD48B7DF49A7C8D5355197A682E563357D82A9CA3F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:02.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884175F80887612D0F3EA01A0F70836A,SHA256=78BC37C9C64281B772F9B0F0F632C220D5BB2FF60AC6C4DB02A9EF10B85E9300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:03.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568ABF83A4A7B7BB4EF54EF769EA4909,SHA256=14D3744E4D6AA0F70826763CF1FFDAC7727BEA5AEF2D76DD205A680D5D8F2AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:03.292{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16D4B5AD2131E81EEF103BEBD125147,SHA256=45BBEB42BAFE3C9B0D5A3CC141CF2DEDB74C0A9420F511EEAC61EFCC0F6AB6FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:03.182{5EBD8912-2B12-6154-F802-00000000FE01}16842520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001444943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:02.930{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50703-false10.0.1.12-8000- 23542300x80000000000000001444942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:04.551{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62392D53A84B1B5C81829D3FF96D581E,SHA256=7D5A9C6A523B945E992C3144F55F5B4696BAE84386257DD88A8FAC18D6FA9D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B14-6154-F902-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B14-6154-F902-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B14-6154-F902-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-2B14-6154-F902-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.307{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B6413CB15F3C022475E691DA4A746B,SHA256=4371D2489F83E6C2E0AFDB964F80D7DB8A6BAC65F1B1CE1087695EF163F0201C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.010{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA3DD16398B92D1674B59E9414ACD77,SHA256=70D8B401DED7AED6D92DD69C24045DEC4B60478BCD882D37F3473988C488B500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:05.566{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D70C23BD8AD38DA6ACC5974814D4161,SHA256=D74280071F55378DAA5CDA49032957FA6BBBDF1221D81678717DDCB91D6749C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:05.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6349BA48290D431D9914CDFBF2B693D3,SHA256=3381166E7993753AC84ACEBEABC580ED573EF9B47D9A3DEAF9F7CE3D1B1E3541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:05.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A06551D38F4BABDB84C0F393E5AD0B1,SHA256=2BA108061910DF3D955B377E1CE180C8F28CA86B823EAC2C63BECFD4A844DB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:06.613{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6EA094234C51725E73DB03AF8B3618,SHA256=DB37097E2DE8A5426B2B03472A0E1F9E648517654F2ABB9F1158E295BD03C6F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.343{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:06.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FB4935B33FA0E2B06766AB9207E5DF,SHA256=6DBBC3FE4A2E86942E35C06FD96E66335F469B29DF2FD240789DF4AEDB7EDE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:07.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9E2DC59A50CC399F646560795A4B63,SHA256=EBED7DA57E43F921E0348AF914F39C5267CDBF44988A0DFEAE05FE968F0C5A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:07.645{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A683CE4381E5235E96F2F8F3BADA292,SHA256=7F05D4A2A59D882C1D259A46215E24E3A92BC30D920D2C16A01A4E9C8B5CDCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:08.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825900B942A89DD612C74966687212C9,SHA256=8E9BBFA3FE033E2E92ED5A13CCF669B33F9A588CA0EC8AB00E8C74E1D8985D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:08.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B175D8C8E1D2AC9D18CC0E083F6D6B,SHA256=584C506D41965604B2A0096614E5C8A09D23F83AD6A9A80322551A176E774E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:09.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A51D48831B1778805E48A986438A3CF,SHA256=9E53B196D6B91B20D20AAB38DE1E82B4C4262394C9341ADA5FA45E2B7B8C09D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:09.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E5D559940EBD1EE8CE00A4F5CC518F,SHA256=9E46C330918134C0656CD449CFC55FB312B605A8F724B670525E8DE7E1BB6204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:10.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2641304BC1EBEF6260953FAD98106D,SHA256=5596916DA5F40A499D4378B2E8A9A26F0ADD2514244D4CB9103F03CF1E0E6251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:10.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E709DD9F4DA108E91C00A58A981593,SHA256=8694100D109AF5AB5B2206297D5D3FCF29DFAFBA41A03531717E49247B9073D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:11.879{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBBCF90AF4C135830F47A4B1B0FFA34,SHA256=70217327AAADCA84B7DD4FF008AEC0E6FA52094C32D035C8E9FB91FEB049219B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:09.459{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:11.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BEE0D4EC5A7C2948745D586C469ECC,SHA256=75F972658D2866CF2C0BB4E5C6F1C22489546F9558D530FA0ECD9315ADDF15F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:08.727{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50704-false10.0.1.12-8000- 23542300x80000000000000001444952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:12.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5BC109174746153F748743CCF8D265,SHA256=F17E3102642248D8F749CB07D76BCE600471D25B87A73FACC5B4925CE0DE1856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:12.329{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEF10D4FF43838696F5FE4A1827AE04,SHA256=A9BB6C937BEE560B79971CFFDF150483C3CF5C0F006FABC881A6C3F84CE1B90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:13.329{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA498A7525EF51A805F11FBF28D9BD1,SHA256=C614DD3588C65BB63185949BC4343FE7CEB35DC5BE359C5C8A5965237E90A02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:13.945{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-076MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:14.345{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F0342DC09BB06A49DCBB978EA02730,SHA256=D855BEF9D1A6BC5A159C320DE87FBAE0A9B8F52B92D2CC388346993A309CA6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:14.957{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:14.832{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=35FBE2C325271038458F42033C5AB68A,SHA256=7B82FB6FD049D32B6D1D35D12546BC5B080CE4FFE42283BA00007AAFAE229647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:14.035{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC386BCF46AC5A57A5169F80D5FE7B2,SHA256=1F1A9F2F909EA4763CFF93025B85A383F653BB182B4B5A946B43D4502EDE2144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:15.345{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CD69E3959073EEEF2CE9DD332B94F4,SHA256=D82253F0A70063055991DC953CD4FC1C956557D45EC6A37373B934E40B2B54EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:15.048{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F30E245077923360CED4619C97D2F31,SHA256=BE41266F7F3E554FDC1486FCA07D1C0F26F5B3C0C7CC7D7BA6971AE595DFDA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:16.361{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6233BA4C633ED4D78CB579B409A4949,SHA256=C0CAA6635A32A8FF60A7B1D2CD935598428FCABFB8354A41447E99BCD7E97AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:16.051{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A843E6AB9D03940F140F48224D30D5B,SHA256=A5CE2B52D19CE3A8C92896BE57936FA7719EE81BB9343DCC870C0B023287D40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:16.035{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:17.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471161CD41F0D260B64C7D77AB98FDA3,SHA256=650958E3E57DEADCE4ECF1E70FF116C83A030BA5D8BA8E1C3373179B3B8DEFBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:14.740{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50705-false10.0.1.12-8000- 23542300x80000000000000001444960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:17.066{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DC3EB6A9B497FBA61F1501EA507137,SHA256=2F079CCCBEA01E0AFFD698F6CBD299D5736088E0A71011490B0532D7A68F01E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:18.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222429421E028BEEBC65C0F5C4E343E8,SHA256=D1FF64BD111E9CB7B147B6F61B43305A42A7188F7A976C8F3BD967D3B71DA02A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:15.711{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50706-false10.0.1.12-8089- 23542300x80000000000000001444962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:18.098{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D017464CB6B20A53793AC1964FD8C81,SHA256=69EB399327C0B21425EFC2207EA076A06F93A8D828C6B53EBE16F255BB7BB4F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:15.506{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:19.408{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A4FD8C3C548DC1865C3A690220EE5D,SHA256=AAE438D8C8A9A7BB9D24967790DC8F5264F2A73A3C9C8DBCBD4DC702EB3CDE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:19.113{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEF7805BE12F4CF97E30D837D79C9F5,SHA256=E8797E69F1EB468AE77E32436EAFC3B56D60EE19CAD5D19F8BF60B1C9E7DB4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:20.501{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C3E40DA819B7C800132B67AB1A14C0,SHA256=1A798A9520C30A287B86E13F1818943595607F88E143A7C887CBC802072D567D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:20.129{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C634CE04D004112306D9872F05B030,SHA256=177E92AB1669846BCCEA81A87A7F178E38D150CC07A1629099D4D30D27C05DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:21.564{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423F9C6499F8FF37CFD2A95D863BEF80,SHA256=8EB9D6DC66CC31A2C1DBF575355E8088EE156BB3360B3F12B0445B77E72A686F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:19.804{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50707-false10.0.1.12-8000- 23542300x80000000000000001444966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:21.238{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5185C79F76C47D9CF83B46520D1FB5E0,SHA256=A3A83DBF3676F2BD5EC009B06687C1A7FBF50F92B629BB7551EADE21A035F792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:22.595{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE7DA4F2E077C6C1EDF448B064E554C,SHA256=3A736AEF6F0F9BC50F0E2435CC3697392EC7E5FB2D4CA4BCE2386EE93A80C10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:22.269{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1E35D96ECB60E76DD8DFC6641B6535,SHA256=875CFF2B6EBC0CCD20435A0B5F21B8BEE1C10BB67AF222CB796AAAC74C366B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:23.626{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3433524AF081A2E26F15C7124595FAE9,SHA256=6C658C5977CAAC32292063480F94E92ADCC5DD1FD6E74E1E8F806DFD5360291C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:23.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A841D338F6C4322813E64B243A9353D6,SHA256=9D59F96B15A816E7C84D97972640A0E03FACDFB6997BCDBCE8C35641070C1002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:24.642{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37811021E6F9742F8A10474D5FBF14BE,SHA256=348FF1C66C834B2D62DFDC0E35CB93682BFEDBA10CD8C0C59EF3D43B148FC65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:24.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B23427883D65F76592A8F87A4C60FC,SHA256=0B03215EA0C4E2348A00EA4602B3A525EA148E82E5ED93B6391CEADF9C925D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:21.334{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:25.756{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A809052153DBA4ED5321616FB98BA1,SHA256=CD9B6AB9DA35ED76E42105DDEBE296B85D834EB0D12AD672771FDAC14DA2B9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:25.348{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995EAD35119B85140C5B284BE1E7C2C4,SHA256=6FAB53324396CE9DB7C7E065C7E4371E6B51ED442E4DE95A31E25B41BE3D4B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:26.756{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27974A5959A2414321DBD4391A84AAAA,SHA256=8B05A00B6CEEE4E4446BA7AB615AE0813F0D2DC4159EF5D44E0EB9EB678F2D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:26.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EBCB5B28439ACAA0A99C532ACEF910,SHA256=6769210AF383459736AD573597648D2D46733A7E71F6DA1B4268E21B15A84F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:27.756{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF60F108751FF79B5EBB3E4F4F2AF6E,SHA256=CD56A47BAD768B06DCFC7BE9E934AF1503F8395EA25299CAEF7273385289E5BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:25.773{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50708-false10.0.1.12-8000- 10341000x80000000000000001444986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B2B-6154-C002-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2B2B-6154-C002-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001444975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B2B-6154-C002-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001444974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.489{69CF5F33-2B2B-6154-C002-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001444973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8DA947FD735F92ACFEA4AE19684809,SHA256=F6CC49F7180012ECFC6EDAE41BBC59F822095C9E650E588D7D0B90E67C8484CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:28.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B407233F4193F12AF9C491352F0741,SHA256=0FF25C51EA8FCE84DFE20A1655D7BFE240EAF8B2D9CF5B195736741F79AB6372,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.741{69CF5F33-2B2C-6154-C102-00000000FE01}35962348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B2C-6154-C102-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2B2C-6154-C102-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001444992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B2C-6154-C102-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001444991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-2B2C-6154-C102-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001444990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A730F3241ADFE26530B005EF281071,SHA256=136EE569678D942A1A082C3DBB3B11C0876A855659EFAC746FE4AC73B6DA1BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5779D1A6B98C4D14FF49C3EDBA1FF592,SHA256=BE07A993570D44158623E596589855FC6D7950346792B7A02EC6D8A8A27E11DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.394{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB036310DFB4962ADC9DBAD360232EEB,SHA256=1FA9314813CC788845681407564921FDF2A282DF0C5F493FB1BA39B89FA0C8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:29.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8B1C07EF2CF535CE4F20C96E400705,SHA256=CE36C4A73E814062C33AD7CADD84DC80B91CDC126919BCB0B8757B7731397E86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B2D-6154-C202-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2B2D-6154-C202-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B2D-6154-C202-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.739{69CF5F33-2B2D-6154-C202-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A730F3241ADFE26530B005EF281071,SHA256=136EE569678D942A1A082C3DBB3B11C0876A855659EFAC746FE4AC73B6DA1BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.442{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A411238318AAF9EC12B326D564422B,SHA256=3873A2C8E2E8F257EA384C453523DDB9279AC18DFEA7A55891014FA999DA6587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:30.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E7EE593FA70E92698B013D7918CDE,SHA256=C3B2831FFD1C0551D220AF44EEC73CAB48D20428371C36862C9593F68B9F717B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:30.973{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49497B1F5C03B2E43B73DFD5585052CB,SHA256=57DC97E677548084D6EC7BD3C977C4B68F8C977DEBC169FFB205AB31890D31A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:30.488{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A18968021295E8477B341ED34B6FE53,SHA256=FDEF20153F37A131F3CAF0BDFB2E9C55F97591E18C3777D68C1AA3D2B263A0F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:27.339{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:31.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577AB85A9BBBFB78CFBCAE5848152C1C,SHA256=C77A3200AE28CE89E82B8E114FBE2DC6119A3B41A1956FC395DFA08150434A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:31.519{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2532C169DF4DEEE68D044A458AC16EBD,SHA256=EBAD1229A3EBB8995F4EC3AE821EE1DC11460851C2E04E16AEDD4CE96CCD393D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:32.803{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659D1CA455030660120693E977A46F5E,SHA256=4460807AF4630013E4EE4A58F5D58D12E377FC7ECAB2777D7265A760BC793D34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:30.898{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50709-false10.0.1.12-8000- 23542300x80000000000000001445023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:32.551{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07116F8B5F146660FB40AAB267E1CB2,SHA256=50D14025384D38C54821CE7744CF320956CDB8088AAAE4A145EC03AC8E748A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:33.819{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7EF713731E84151F9CAE6C3577CC76,SHA256=F6E921A29684F3DDA16442730F29A73A52F970A7DEBB0B55082D15EC051C6AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:33.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F655EF74E818A22AC7EAAC5B36759366,SHA256=FEF918BC6DC996208F24CC6363AEBA139EFE1D273796B0B044D620B81CE707CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:33.788{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D5857454A487A87496B15915DA6AE855,SHA256=A9C27F1F131D4AE9833EC47162E21D23FE0C19008A94B5B182E6167442935E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:34.834{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E40E761C142E35C1F79C31FE4D11388,SHA256=81F33EEBE969DB28B66DEF7FF96EFB350DE9CBAAA214D1D1A0B6DE42DB056151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:34.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF4A6730C331723E8F91346B36E33AC,SHA256=3F61E65354D5F082F628B0CC375DA0557E6A8A8F95ED0D379AC525CB1DB410C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:32.449{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:35.850{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD28B9C0BE3AF548B9403F4F21B1604E,SHA256=26EDB1CB31662F4E3555348B263A355936E1A267D1425D1F6EBF4C07BC891C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:35.613{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409DA3907AFB891D7C0E66CE0A37975F,SHA256=15F228E238A58422A470E342FB072461EE4F7C2B3DBD899B8B8AC4406BF35804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:36.866{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F1468A4A7F9DB85FFE5F6FA48134D2,SHA256=8EBF9865C1F714B07A0BF87D06A0F189C6E9AB8B1D7FD86A632FC8DC86A1170A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:36.629{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF09EFCCAD5EC47CCAA17601551670DA,SHA256=30F6C42A026761A92E6FC16E7BEC9E75AC1A5ADCB714A22F38AE8E1471BCF5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:37.866{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD803ABDC67CA9F0FD4388A2AD8EF33,SHA256=1E784C844439AD0A4667887D8710814E9C14ED93B2699DD59AA8A6AD3AC9F7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:37.660{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDBBE70C78D3687C1451AEDD884DA07,SHA256=B796A086ABBCF60D3C4907CA40F48EDE99DBC6198AA26CCAB0EF3136E4906504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:38.866{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D624F6FAE7E6D5FCAF325A3ED0BC0D0C,SHA256=0D197352D11BF7575B00AF670F5F02FE537A0743B88DCF6C41A3547568782FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:38.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC9A79C2D0C5A126D730CCCA6B9A9AE,SHA256=FE89B3035D4135AC0D590257EF328B1C410C76413E2DD5BFCD64AE4AD753CDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:39.897{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6F27B2B1E74C91E9E4C05AE46B7B02,SHA256=3C627DE5029BD59F7E4C0130BE197D3B43C3CA76B92336655BBE88E03064A46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:39.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539AEAED0D38CAB7E3673AAAD3535AC1,SHA256=37700C4F448CFFCE43CFC147AA63B3E54944505BA9115B67B76C7EBA5378F698,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:36.742{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50710-false10.0.1.12-8000- 23542300x80000000000000001539899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:40.897{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AAC5501BCF0B2DCFE5A61F9CD0C061,SHA256=1A35E98F3C7F05DECD5A431CDD65BDA56ED3FBED7CE89C25A4F49F1570EDE8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:40.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0555983ED8883C32D396920A4A41771F,SHA256=2F367ABD5A876385D88075EDF32D5F85BBF21052F2E70510B2130BF401AE66FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:41.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B0B280039A2781FFD475169D90DE5A,SHA256=C251FB3B8F3FCDCC2756E5F92078FDCA5AFCA2909D8F2D45D9C6FEFEAFB677F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:41.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDF6569A97ABF548309C1D504CF9967,SHA256=6D3FA2A3018F8B41CA767DAFC3D04D90BA83A0B7DDC5EFF1FE3221E0035E53E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:38.339{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:42.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FA77D5261E11DF1C225B093B1347AE,SHA256=1904C8CA8D76BD59CAF1588A54A73D9BE96ED4B001195444989D799494C12393,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.895{69CF5F33-2B3A-6154-C302-00000000FE01}22643524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B288BC21CDB907A924BF53B275605AC,SHA256=D6C0BE8220C0C0B03A7910794B64835B224F7379C765C12E904928FAD5C711C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B3A-6154-C302-00000000FE01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B3A-6154-C302-00000000FE01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B3A-6154-C302-00000000FE01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.692{69CF5F33-2B3A-6154-C302-00000000FE01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:43.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607330509A646BB8D6BBBEFF74570FBE,SHA256=EF4A46A9C912C3A4236669F11A42295E50CDC2EBA00B728B0BC24EADCCA32B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B3B-6154-C502-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B3B-6154-C502-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B3B-6154-C502-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.927{69CF5F33-2B3B-6154-C502-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.910{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8A7E87F1BC6EE40A227EA797E9757C,SHA256=94F083F3F449BE8DD6C58FD166CB837B3F571C63AF48F89DD59F05B79DE6DFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.910{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=528F5C1BF7BA0CEAA382B31ECE9185B9,SHA256=AB33768231588CDBE5BB3409299958AC237C1F28E1EF1643376C694E35B0C66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6483ACD3D037603815440BE1C3D1875C,SHA256=B36A7FE9E4785D1AB09F8771C195C6264B008637E3EC0B98D9925838BF724508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.535{69CF5F33-2B3B-6154-C402-00000000FE01}37043944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B3B-6154-C402-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B3B-6154-C402-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B3B-6154-C402-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.364{69CF5F33-2B3B-6154-C402-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:44.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B1D7320271DBCFFA3DEB572FE60BE6,SHA256=5C7612D5551A0BB61A953F361FC560C9A6DA31D9A3972A8651826B0275D353B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:44.900{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-076MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B3C-6154-C602-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2B3C-6154-C602-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B3C-6154-C602-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-2B3C-6154-C602-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001445080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.066{69CF5F33-2B3B-6154-C502-00000000FE01}7403396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001539908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.969{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.937{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC2D238005FD3E5DEAEC2888AC628C4,SHA256=53BFE175F693DF9490778C9CC8AB2B064E82BB4FF7B1DB9E07EA7FC488A53312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.909{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.757{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50711-false10.0.1.12-8000- 23542300x80000000000000001445095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:45.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8A7E87F1BC6EE40A227EA797E9757C,SHA256=94F083F3F449BE8DD6C58FD166CB837B3F571C63AF48F89DD59F05B79DE6DFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:45.066{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444D9DF802C5AAC341F92B2758CDB853,SHA256=667298AE80C91025A854E188773AD3C93C8719A70D62CA5B4D10A47C068F5551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:46.941{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9431A4B7B532CEB62CC6BDD427F40214,SHA256=11FC02D1A55514C8ADEBBC21F3BEB795172BDBC52E11B0BAD76C612F9C4A2E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:46.098{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A666C0BF788B7758474692296CBCB09,SHA256=EF4EE6312A8AD65A3DD93F204BF1C08F1D02F4A40161BA1B01F602F383868CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:47.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D39F8D2EE4A0024C54C4E74EC31ABE0,SHA256=566D1E2F5F96EFE30C23FBD6A51D38F6DCB527DCA94DFE134B4111A8A03A5474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:47.129{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C2929D82FC25509B7607BC5044545A,SHA256=65639731F3D595ADDBD0B633BCDEC8510B366514563C31EE5545909A6099DAAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.468{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43181-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.444{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43064-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.239{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001539912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:44.325{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:47.253{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B95463FEAF494333E388DB66C4EC2B,SHA256=B983CB1B32E6C4BF7D9254EF18EC67FF92A450F5B558C17A20378A1B42AF37AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:47.253{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AEAB92F00486E26C94F3B43A1840956,SHA256=61A5245C87EAB84A6CCB5783F1183CCBACAD7ADD6171C05A6BB1C00F33B4F316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:48.972{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434A0C92E7B3CF91A0CEBAB61B905B29,SHA256=C963B36AA74161B82F605C1F15BEE522D008A6F72818A79419331BA563CCCD8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:48.160{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49AE921C3F571E9A8D28A2EF0D9CDF0,SHA256=704F301E2E2A7427940241730750D367575E5672CF2A691C6A01488D7A1E949A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:48.612{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B95463FEAF494333E388DB66C4EC2B,SHA256=B983CB1B32E6C4BF7D9254EF18EC67FF92A450F5B558C17A20378A1B42AF37AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:49.972{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2980979179BB6C0220E553AF5722B844,SHA256=84F45E6029DC40D080C98404FE27FE1CBDA270F7B14ADADEB7C75278470A7DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:49.207{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2AEFE372E3097A37357A7B70E05057,SHA256=F46374A5E802E67F61F510428AC029CA3FA63712AF96F9F2BE9ECB93280E6463,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:46.673{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48557-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:49.691{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163F684DD94F504CFCE2D1D9CC1CA1E2,SHA256=A24F674041F579C8FBA9D0C00395F95B3DCDED3701F8B0B404425A743EC0871C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:47.929{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50712-false10.0.1.12-8000- 23542300x80000000000000001445101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:50.223{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5B34BC87B16A414737A1F540A66E6,SHA256=C41522F8D1286E45807580B2337802902EE575EF4507CF59C2B1BCB8BB78664F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:47.919{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-54097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:50.769{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=763CC16C6071B4ECF2D21B4E8B095905,SHA256=152E86D87F7DF6C76093BBF8839EB8F7EC75E008729C9D93FF2D181DB9FD7420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:51.238{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D907C12EF3B4F47ADEFE2813916B7CB,SHA256=05A3040450E37D31C2ED802A6008BEBF7BB7DC7932ED8DC9A971D3C3CAE11735,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:48.997{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:51.847{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E7A2DB3451CE94F97A6A1087B437310,SHA256=510865DEA2C3F80FFF7A4571495A5895F5BB218105735938E93EDD0083AC634B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:51.003{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37AFDD087FD44F518EF8E52C49ED5CD,SHA256=3893D99F0F8D21BECA06F847BEE50E0A9ADC7062D1EEE14C0E5608A66A2822FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:52.270{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4D0A265CBEA9907BC02F989038236D,SHA256=5E7740249662B2A4ADC0EFD88EB08D659C8F5CDDD385175AF3E0FB17DE80A531,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:49.477{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:52.065{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C754F8EA3D91EA9DA60BFB2E0FB0535,SHA256=439C9828C469F8190B4582CA72F09B1456AAF45714689E9612F634F318CF1EFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:50.077{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:53.222{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=275A4B5E657362F966C1C0259C9797A0,SHA256=8835F3799C8AE565CA2AA19E6C4FED1C3EFDAB50847F930BA99E5E6193695414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:53.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0548038BF8ED2D399C4464E3C029F760,SHA256=CBB0A13C3C0C56EB27879F8ED6BB59222404806B3E4314BBA4022DB7F322AFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:53.301{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155BF8D22FCA7F762AC73620FB15A3EB,SHA256=1E66BFE81E1D955C1A7AED62493CD13868DF36F721649A27577AC271B17F665A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:52.929{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50713-false10.0.1.12-8000- 23542300x80000000000000001445106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:54.316{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852B84FAF24244CAF29C5492C4D8B13E,SHA256=0CCF35932720243A6C0479F148CF809B9785B96193058A18328835152A67E5C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:52.543{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14939-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:51.353{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9618-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.347{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C46DEED0961BF9290033E147ABE29316,SHA256=FEA020313F938A3093C517545CB1E5529587188B80C1090AE1C1DB48FD278DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21EE6F3325572A36C25C91731631F7B,SHA256=0B7EE41CB1841455290D1B60398B00FF6A84D78C665BD490A8083C8A10C0FC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:55.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432216BC51E1E52C4BB47C6478ECD7DF,SHA256=DFB771942C2811653DFBD4D3233DD62CD03EACC86AEE17402078A61E2971966D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:55.425{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0549A39381D7CD94C9336D44407DB0F4,SHA256=B468A6E091D0FB2DF48B5603B7A8F1FBC549D2D3461C7559040C59D40009863E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:55.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31DF68923E6B0B679A675FC227CD96B,SHA256=BD257C218E9CAF6339EF4DA598137AED01DE2775CBC3CF2015BE1E6987668693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:56.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE20B7D78F935FBCBC6B4575B38664E8,SHA256=572C306775B678088F562C421AB50310B6B8F7F1AA70E3B14239C59B16661E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:56.503{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6911AB158667A0F9930DAFE98B839A1,SHA256=DFD4311171E18973ED25A574B54FF07BA785F7DFA6E4C26858C5B83D3DF2B305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:56.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6D45A7558CC7176A89E7134654860B,SHA256=7675C1A4F37BC3AD0E50D63E88A6F55D1934F068B368F107596BD68A29CE5123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:57.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF175E52AA9745A5C557B39663BED0D,SHA256=8C77AC2E91CC40AE77108DD686B95BA431DD7B8612D0AF485FB045CAE78205AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B49-6154-FA02-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B49-6154-FA02-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B49-6154-FA02-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.785{5EBD8912-2B49-6154-FA02-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.628{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77AFBFEA6A0F4CE6078E7047FD7CFD68,SHA256=34C422976836ABBAB1840B2E5E3153B8D5EDE8AA0BE93F47E7E039EDE12818AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.144{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E294DF19DA1BB7EBD4EC72F98171D959,SHA256=99E277C647EF709F7D7AF5C5546C8F109D92486F203440375142DECD14709BE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.508{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001539942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.051{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-9516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:53.970{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-9218-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:53.654{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19982-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:58.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E52E898929FC20C2F7B38A2F3F32A87,SHA256=650A56DB5EF3453CFF29847DC8A974D5AFEEB01CDFB6DB6B8818CD3F601F6651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.753{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A899414C48EC164F05AA1DAF7DD9E57D,SHA256=0A6F35A49EBDFC1CA42B0B9B4A832AFEC4D58FB6B0307BAF9BF3639AA5AAE4A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.597{5EBD8912-2B4A-6154-FB02-00000000FE01}5100380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4A-6154-FB02-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B4A-6154-FB02-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4A-6154-FB02-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.395{5EBD8912-2B4A-6154-FB02-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.175{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476D2166D5E2077EFC26C6A4785DA266,SHA256=83AB3ECC8C5A48F9ACD01543D4009097CEF42928AA66D16118B6F02AF7A72E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:55.474{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-16717-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.734{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:59.457{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7C389B6090E0E550A51931043A98F7,SHA256=83218AC6724C412CF7790CC23900352E21B55027B526B133946EF85CEFEF90DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.878{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DE72742CFD9CE03CEA78AC352B95DF0,SHA256=679E981EC738FB7997A28B14C3A7848F7D720FA3241A6ACE6081345930BA1064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.206{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13D6BCA002CC01963E54B22D091B2C1,SHA256=447F7B41C06A2D99E942D2F32399E067A435A3ED9FC49238EEF3A86736FF2352,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:56.949{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34480-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:56.937{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-23396-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:55.825{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29615-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001539974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4B-6154-FC02-00000000FE01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B4B-6154-FC02-00000000FE01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4B-6154-FC02-00000000FE01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.020{5EBD8912-2B4B-6154-FC02-00000000FE01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:00.488{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BCDB2AC4C166E72EB8B8521A0E26D0,SHA256=C961856CC521708F027C5F5E8BB5D9927F65C16C95B0D0BB32B9F445B4409B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:00.987{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910F8C6D18755FAC8AC849CD694FD126,SHA256=F4C4098445811116EC48DA501BFAAC17DE7A48A75BB70BE4600A6F48CF6A0739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:00.222{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF2A3A973EF02CD0BE063A28E69605B,SHA256=9B7D737B1074A2057E8A200164AB454A045A3BB0E1F086B5B793A1C968B90948,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.077{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:01.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68B060D4E2AA4BA1008F03D17C644CC,SHA256=79BD7969A2D328E5ADA5A938E2DC546D0C3746FBBC91AA7FAE13A026E5386CDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.628{5EBD8912-2B4D-6154-FD02-00000000FE01}60804280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4D-6154-FD02-00000000FE01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B4D-6154-FD02-00000000FE01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4D-6154-FD02-00000000FE01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-2B4D-6154-FD02-00000000FE01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.237{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D4503AAED2A80D5C49A2046B02C929,SHA256=3B7477C6384992AA544708F57E634FE692AEFF19CAF68EE86FE648005A4B04AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:58.757{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50714-false10.0.1.12-8000- 354300x80000000000000001539984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.207{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.190{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:02.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01B326378AC557256614CCD706C40C3,SHA256=C911DC4C5BF79D4AA40A63698EFA4AE1852316D681EF14881659DAD6BB1BD34E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.565{5EBD8912-2B4E-6154-FE02-00000000FE01}5996892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4E-6154-FE02-00000000FE01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B4E-6154-FE02-00000000FE01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4E-6154-FE02-00000000FE01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.348{5EBD8912-2B4E-6154-FE02-00000000FE01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.300{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A499A5828CAF6DCB335C841778C8E8E,SHA256=80688B75A1FC954821866574C8F083BE1483F46BF63E7981AD0F00CF04807F99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36671-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.290{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65058-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001539996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.290{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65058-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001539995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A1015204F44AA460E7E990DF09BDF8,SHA256=6028F3E7D2847F6DAAF829DA4A80135BC5099C40B573088E90FF48B97CC171D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:03.567{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D71FC7E8CA9B708A62648CE0B6D980,SHA256=32FB0C30AAFFFA49AC912A36353A1C1A67BBF996E660FCDAA0BD4446A87453D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.331{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07C524E65C6430E0185F869FDD4E4DE,SHA256=9B9DCE514659982F96A32D22FFD0A8082F528BB00BA6F3E571F630A84C770410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.285{5EBD8912-2B4F-6154-FF02-00000000FE01}28005772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001540020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.034{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43747-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:00.344{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:00.300{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.159{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=785079744C8F1D2603D91D004BDAB003,SHA256=2F1C6550CC33DE6F654CDBA13B12538496FD401539005BAA765E97FB7B291C9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4F-6154-FF02-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B4F-6154-FF02-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4F-6154-FF02-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-2B4F-6154-FF02-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001540034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B50-6154-0003-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B50-6154-0003-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B50-6154-0003-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.660{5EBD8912-2B50-6154-0003-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.331{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C509EB5A949CB83904D8D36D5E751E,SHA256=93B0C029EC8795F8BCB042533B9C23E08ACA5E11FA9D36D77EC13697B940A85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:04.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C58C9660923C3A2E819DE3193C607F,SHA256=4EE6AE20EA0ED2C422CBAB037FF845AF58C6EEE87C9B2F1A75E30EDDD9515163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.284{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63AC64E3E94FFFBC1E7BDE58AF7A8567,SHA256=6997E9009033716445FFCC6FFE0EF119897B7AED2EFD0E7BFBCBFF1A0DF84330,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.320{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-50435-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.390{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53667-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:05.598{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95395906CA2369785EC81166C96D47FB,SHA256=B1B22A1339BA5F075E20865DF9C77EE106553CD30706C3EE50611FC164224CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.484{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:05.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFC9855C9B2F016F07DFCC015A2DFD5,SHA256=729CD78BBB26E6BC7212E4D104354C488AAA83D9A15CCFF8F35AC1848D03A6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:05.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1929F3C96BC21652FF0C6944084EC62,SHA256=51EF252B2FD141C1DBEC55553D2D7D1D35EF9AF14C7B67CA50A22DAD48EAA567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:06.600{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60936FC747FD2E695D1B735DA9F6C6A,SHA256=551B4403F49AC0607338758797A035601108405E6D42BAD655F95ED158D4905E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:06.598{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B93C839CE1966C1E507037C8B1CB071,SHA256=8ABE6A91D6E0562188CF832C5AE7D02B30B235D2BDE88630687E7C075757728E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:06.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBEF285E2E99050D5F91968E6133FE7,SHA256=EA66275A317E23268D4B92168ED64CF96CB0F7BF7251796DD5C971491B75E8DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:03.773{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50715-false10.0.1.12-8000- 354300x80000000000000001540038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.679{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:07.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=131CCB8AE13892548FD862AB59EA902B,SHA256=C4D89500855170EE82E0F2DCCE9FDF2645518E057D1E2D5C86934619ABAAD769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:07.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFDE45D58B55883B99DE79B400729E4,SHA256=7884724000E8CACE50E493AF7685B49AE2921F0A6EDA7E24E2F558C622233A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:07.614{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F33CDC8598378537541543345D4A6C,SHA256=2DE53AD53C515C3B49BAD549AA73F53B4AEFF6CA38DEAEDD7E9C6814D224C503,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.782{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.883{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-59038-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:08.848{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52951A3688BC2DCB7A9788CFC2105C3B,SHA256=83781DB30281AE70DEC2A05B55F67D7800FAAC7B79570BC9E6A4280658854D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:08.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBC5D33FD033B8F8C8A0FD50B023EE2,SHA256=58C178FC423880742982D6A580908925FCB5FE8C53151218D44C6712F49586C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:08.629{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4977EDB82859175BB5A67AB283193A20,SHA256=F1D3D7F9B8BF972C578DFF400F155E18B4C0076953BA2816C3E6E6DB65F0C2E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:05.197{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-6986-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:09.660{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7DA86627F423ED3E253342364568B8,SHA256=0907EC827B77624357CE38873E7B4F4DA87880BF147CC8FEBB2A0626611428ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:09.973{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B235661A5924EBF783E8BDA96CFB21C6,SHA256=5D1D35D63FD9E792C6A2AE6A4C7C909E928ABD1B6B6F56F351F8D426320FD9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:09.488{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B091CB0C32B3B2C3C5A32DE1F516CD0,SHA256=4F20E1F2869471072E8E47D7FCF913FD1FEBC5B40AA7F467C7D55BDD2C56905A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:06.446{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-13889-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:06.338{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:05.905{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14435-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:10.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF795FAE6726E053201A57827B2F9F6,SHA256=92E726E9A61274C502A627FDC9BE52016D082CE44B9A0EC7C71DC6D83DA42D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:10.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F45CEEBE255453535B212F73190E675,SHA256=CECF0E2A7A18DD34FCAF3253BC964C607ABA5B03FE5C80F9B0D06DAE3C861F41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:08.929{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50716-false10.0.1.12-8000- 354300x80000000000000001540054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:07.840{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:07.059{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19459-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:11.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA9610BCD5962E39A6B4722B7E5E92C,SHA256=C252228FE4873FB6F96D21B90724546C0BFF72CEC042C011092EAA50F71F44CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:11.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2AAB0456615A6DFAC397D38DDD2E09,SHA256=22852B798B689119CADA403A53E112A1CDCF831F36E0F66EB603D1D84A961755,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:09.334{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29009-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:09.266{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29093-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:08.170{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24214-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:11.129{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F31F1E6BB5E53B3D97D6F5C76BA647CA,SHA256=8FF2C722B309B45AD7CECB9E47865E98D9C322240BF08E5A35FA0FFD1A3602DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:12.692{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB95F093144BF8AAC1DF461C5FD9633,SHA256=21BB15B0798721891762779E9F2B64752F1053D800940357325492375EFA6D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:10.436{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34076-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43058C07FDBBE4BFB68FC2A708BE6B9B,SHA256=ED30C868F64FADB14BC94DAA67E438ED6A80F456F90F8DF444CE43BE8ECCE4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.207{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B715A4424E07905A3ADECC1E72924010,SHA256=4F0260955C42BC85E24BB8E19FE37177665E228166487656F0BE9B86393613DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:13.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1B7BD44C530FE09EE20F87E9291B4F,SHA256=4FAE9EB61F38D859D528C3EE3764DF7ECE4A1A0F5A1B4D2CFF5F5A815CF33FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:13.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE31BFE72B821017F0702002862BCE35,SHA256=4E84764D7697C9262F07A8264EB3EA42820FA6F2678ABB7E48EC55041308AC91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:10.634{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36255-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:13.332{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2F222228E6FACADBBF0648F5CA3B2D,SHA256=DEA9070965BFBFA69474A8018D11CD56F1C6757BAB9A709817C667CC8EFCFD36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:14.848{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B311F29F05BCF2301C33BD2F0FCDF9B9,SHA256=4C2A70A75704BC7195DED9425722FB9AFC2821A3F75FFD913B8476669BD7661D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:14.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B676CA27353EBC80B66BC37F505D1C61,SHA256=445058079E064F74905C3465F24173E3F37CE031B638CB4D336657828251CF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:14.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F708D6BB3E4A4B4374060A1F7F5D78,SHA256=1B224952199DAC048B11E16462DCE219EB1B4708B321CCB3FBF92B6841E7116D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.642{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.338{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43825-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:11.528{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-38867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:14.426{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DF73E507952656F0591349E7EAA4F94,SHA256=00A05ECB968BBDAE96E937F3EA1DF645E51BC0DE5A34C0BA665430D84CD1C9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:15.785{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03780FDC79C176C598A9203A27E2E66E,SHA256=852F2E6324B3A573DE96DCB07D86079AFF145CECF6A31C0D895E9EA9D42D1344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:15.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50939C1BD73C1C63E256CD2E6E226658,SHA256=B3669E643CEB1BFB206CC05B1AE10BDB584ED0224487F3E7F7BAD4E595C71CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:15.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108C2E49CE2877F98A77C7F113F90591,SHA256=8FD228AE3D83AACF4524BBB8B3DBCC1944E575D58A5DC22B4931590F85A76735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:15.478{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-077MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:13.257{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-50680-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:16.820{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD8B73F6D7B38E87FDEEFACA8E69D95,SHA256=CAB589480BD490169FF2D4B3B74B6049FB04438CC3BD2A19869CF2335FEC4CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:13.749{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:16.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C620FA00C50E55D094093A96A73543E,SHA256=1A3FACBFCCD1360504B521AAD74D321223093E44F7B806C67B286ABA3E7C88BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:16.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBF78EE2FAD1683F4026FBE6E8E80B6,SHA256=0DA40A614035540B2238FC15098F6D2C4CFCA4A41230617E27FCE83850444447,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:14.806{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50717-false10.0.1.12-8000- 23542300x80000000000000001445135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:16.490{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:16.067{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:17.900{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8839332F635F85256A340E2A4CB387,SHA256=51A3F8FE67BF89620AC74C63FF60B2AB10366281C8DB0008EDBA185D22ABFD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:17.754{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=560D8B43AC5D79D4BCFE98EEF22D38B6,SHA256=5C8370532B71510D2546B929E5BDFA3D849FBAC9302419447E672E01EAA26BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:17.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F05730FA90B02466B3D6E4ACE816728,SHA256=910421F7243E8A3509C608C47A8F006F57FE3F268B784F6B76984E7B64E8C943,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:14.862{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53626-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:14.821{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-58308-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:15.742{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50718-false10.0.1.12-8089- 23542300x80000000000000001445140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:18.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3837910D19186178F9025F4A0B9FC32,SHA256=DB692A52A3B19DD0E4DFB4BF070794B4125390AD540E77CBEB70548F8ACB7DC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:15.970{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:18.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3763A3A3AB2B6E033363445D43C871,SHA256=015FB5536092BB09582165990CAB893FF523B66B69EEEB6476668D9A6866A98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:19.980{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A9B3C21951005F4FE45CA285E7914B,SHA256=3E23F18C6B73148AF442B0045F28E45D338F3068B51180E35D7365DEDA5C787D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:16.172{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-6392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:19.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA19135B79507F0F9F62A15BA74A95FE,SHA256=D30D9BF8C832CF9BEF14654B1C6F136EE53D7A00A2531684EE0F9A21B418A317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:19.098{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120CED65876CD11AE5163F2844C3C299,SHA256=7D4680AFF7F5FAF1BC842847BCAD1C8157AF72CB7041BDD1055B6F536CEB563E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001540094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:18.774{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20898-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:18.405{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:18.354{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:17.525{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-14085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:17.329{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5329-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA0308306100FA42B4309F1224F01DA,SHA256=CA7F6F1F97B069C6804D3EA94725A2A06AE5C6A73582D62025F9B1D1E9138DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.176{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12897DCFCBA5E06000BE989AE5440DEC,SHA256=F22E448E8B71685CC7D3EC8024B7088A036A0329F1E40D1F584FFAE84F82288E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:21.707{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BFC4920683938F618B07DD2AF842AA,SHA256=C6A599368A407A0F66533035678ACCB9E5F487C4A9FBE0B7E22A9FCBE169B533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:21.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812D2CF79C4FDFB3E6B3B22A51F538C5,SHA256=475CFD57F9215E439958A5DFA5B541171C20FC61BBA50DFDDFEAB1DE226F2F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:21.254{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10B3D29CFB670B7E50C555CE808A0851,SHA256=94149D3015303D298F5DB662288F5A7960D39D7F86EAA5615BE062D9DEFB90E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:22.707{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2C7641B10807295C879574E230052C,SHA256=57B3C50CC05D1855A959A9D0A8BDFE829D01E2FFAD4913C3EC8DC8D51E0E6C55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:20.842{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50719-false10.0.1.12-8000- 23542300x80000000000000001445143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:22.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEC3099BB8BC2F43547D9BB6EBF8112,SHA256=328F5CBA6B1B55FB9000F1AD7ACCF5019401E02275BE98A934E4538E867400DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:19.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14903-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:22.332{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89F7971C870A079961D113927A5B09E2,SHA256=CBA2CABDF89D466F6EE953D20531EE694ED42796781B53F640795193616AE131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.738{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1593208B2495F3CE6F5B03BEBDE6DBD5,SHA256=1B5F86CB5BCEC8178F552944D5F621D6EF4993493C994135AACF4BF6B5C815FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:23.058{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C124CF8C022DC219447CFF38F6C723B6,SHA256=DAC624D04DB6D793D4D1CE838627A048FB185A8195547269AFEC2B462028FEA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:21.377{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-34629-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.561{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19630-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.024{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-27929-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.566{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=873823BC54C8FFCC52E03DF04D9FAAAB,SHA256=DB3128E4B9BD6D5E2AEDF18F49826A9D247B66AFFC83B2E36C01C4237F5533A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:24.863{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5758B311F70CF588547608A0505CC3E3,SHA256=02ECF40C5C4FCBE0B78A57D86D8C4EACEE81D494F6E57FC288A7999BD850B400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:24.073{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95481A214DC626CF8A954E7C7DD86BBC,SHA256=EE8BBC06EB7B548E4D5CA949E10A4137A34D1BC194A2819DE45593E37923C7AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:22.640{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-41405-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:21.663{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:24.598{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE8BE48726854436BF64C919615C448,SHA256=7D4A2EBBAAE1D12FE1F94FADDC8C1EB26923D25C2823AA226C4579A4F28D0302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:25.903{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6F791F06D0EC840B4ABA22F8C0347D,SHA256=5387B7460A811E6D0BA59177464E52DA9B5DD3EF8ABC0DA15BC50C8CC9636B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:25.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FD7D43D02C3655B55EA260C5E48FC9,SHA256=CAE2C4DEA9B37FDF63587D637F2CF6F399340222037BEE2C883DF37EAB1E5901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:25.732{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECEF37187591394FA0E2CDCB07CA3D33,SHA256=88B437C7868A282CAD2CFAD20DE9075467968903B4ADF44AC84CA1D3C9FD7D8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:22.875{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29540-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:26.966{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E60337331041165138FBD5DA0586D4,SHA256=F23BAC93AA65ED5CC10DD8414E3F7060E8AAF02576FBDE69091BCCC418AD0FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:26.810{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D2E66AEBF4FC132816B892B837AD237,SHA256=ED586942C19363786323BE2492C81A51FB24625B48EF472B23344FE3FD9FB4B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.960{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-48355-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.953{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34282-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.416{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001445148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:26.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357C93A4152C20DB8C9EBD2FE4A0977D,SHA256=637DB880DC374F89C9052ADA1AEC3666BBAB9EF76D03DBE88716760F320531D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:25.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-56380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:25.039{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-38966-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001445162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B67-6154-C702-00000000FE01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B67-6154-C702-00000000FE01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B67-6154-C702-00000000FE01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.496{69CF5F33-2B67-6154-C702-00000000FE01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9DA6B0D8DDB99EC9DBFDFC1EAD6FCD,SHA256=CD70B60847FEF556FCA85B1548E1EE394F34918F6D4599B9A96E14F399324C2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:26.873{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50720-false10.0.1.12-8000- 10341000x80000000000000001445179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.855{69CF5F33-2B68-6154-C802-00000000FE01}16682324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B68-6154-C802-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B68-6154-C802-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B68-6154-C802-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-2B68-6154-C802-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4171C49816161307FFE76252081575,SHA256=30AFB907E28CD8B17242FFAEBEC64E99001F7AE6DF2A10C75564FC07DC38EEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E67CE1C24F91E52C4076F0F377357EB,SHA256=01FF5E8208D44A108DEDCB8B1E779F5EE111F0619B33309ECA9ADBECFCDBE819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.136{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3928CF301DD7410B222F9DFC416601C6,SHA256=95B18293D21AE70D6FF18B120D8F6E7E3E35CAB24CF03390E2909B8AEBB81125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.028{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D5219D1B5DC9517C574DCD00D4C67CF,SHA256=CEF8EFD192956C1FF79B4463F14E0FCFF11FDB0C99F1C22168E03CA9B6C4E2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.013{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F8827FEE353022FD59FEDE939BBDDC,SHA256=70AB0C766970CC794D5925BD382CD89E1A499046EFDECF654F467D7B656CAC7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:26.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-4420-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:26.134{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:29.106{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4017AEBD84872F8D8E1E3D80C37ED620,SHA256=A694CEE0A76522F90F8A78130A4B6F9C5D87B47B09DD4807C2FE1EE700707E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:29.013{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3499459323A2BA870ED62307D4DB22EF,SHA256=2CC01D736FEC5E8A62013C4B21D86EC4174E9D562D54440CF8FA3BC428B5D500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B69-6154-C902-00000000FE01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2B69-6154-C902-00000000FE01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B69-6154-C902-00000000FE01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-2B69-6154-C902-00000000FE01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.620{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4171C49816161307FFE76252081575,SHA256=30AFB907E28CD8B17242FFAEBEC64E99001F7AE6DF2A10C75564FC07DC38EEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F8F7E681076445A0843B78D065CDBA,SHA256=45FF7C6BF732805521F04095BFE0709A0A43103F57A01C379C738C73A7EB6C1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.950{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001540156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.519{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.414{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.002{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-10954-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:27.835{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-53187-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:27.336{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48954-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660880D10469D9AFB2001A7A93228816,SHA256=67C3EB0BB935AE6B3E721FDF075161EB39F7AEE124BE831A43F080D84A848A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:30.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B45ABBAE8AFFAA612925B9817FA0D186,SHA256=E1BB931F8DCF4CBA7E98479F575C624193FEF459EB4171EA864D35A3698C5EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:30.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F684981171DB4CE279165B6962495EA,SHA256=6E436D972E36EE33F3E0E004D3950877FDA81AC18524D30C77523E40B2298F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.185{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3F5C5563CDCDEDF205DB848042A66DE,SHA256=A9309950B833478E41B5F6782A5647F112EADE382FCCA9975B6E9B1809A13B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:29.493{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58468-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:31.263{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E87BCF361DD19DB4136F9492596669CE,SHA256=250D10F50F7DDF58F3A9A17D041EE21E20416C49BC7085C9A5D49427AF2C818A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:31.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479388EAF261343E963C8D0959AFA6A1,SHA256=3159042693DD296E5B6B68CAB9A6060ED523B006C7850CCCB5A35A4704650046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:31.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65699184BE334E22543FD004B48D4E40,SHA256=1C6A52EFA24CD5A5BC10BAD00B76F27EB2D24CB521EF5EB556CB8D0002F7DA17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.575{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.239{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65065-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001540164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.239{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65065-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001540163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:29.605{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-18759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:32.356{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D1C168C746590EA241E769FD513AC24,SHA256=C81B55EE4B907F49D5D984D134A6377F6B1E345430387529FCF22911E0F120D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:32.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A3562D3F9A53353B7ADD4237ADE967,SHA256=F0737AF5125AD1305995D76FA16783154E93A69C8AFFB87FF21AB8C51B0C1B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:32.199{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2520203DD058BC3665B448AAFE2EF8,SHA256=D6DA7CA858C346BE09E14D18E9D16AF5A195DE09E29AC1B3F810C62BF1C1B6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:33.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DE5E3496FC404FE814ED59A1BDB869,SHA256=D2776F5B0651975DF490861B56CDEB36CD5D99EAB960FE940AA8C5BC7679AA62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.880{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-25371-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.794{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ACB42264EC4612B2FA02F7A8B417A489,SHA256=28F15A036CDEB414CBC980C4CC2432ECAF1C15B6B466F6B481E63670972F32B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.450{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1836ACD065EA58C01A55D9D63BA7B6,SHA256=0D751B6CD108D6F679321BD104A9DAC90BE4CD70F132206462FECD8A3840AEC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.216{5EBD8912-18AC-6154-1600-00000000FE01}12721020C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.216{5EBD8912-18AC-6154-1600-00000000FE01}12721020C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76263A8E665C02EE180AAD737C9899F3,SHA256=A3F09609C136C448D31187197B2AAA3DA229F77768330993D56ADC8024B19E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:32.158{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-32786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:31.676{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001540184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001540183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0049b264) 13241300x80000000000000001540182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0x3881fc81) 13241300x80000000000000001540181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b510-0x9a466481) 13241300x80000000000000001540180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b518-0xfc0acc81) 13241300x80000000000000001540179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001540178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0049b264) 13241300x80000000000000001540177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0x3881fc81) 13241300x80000000000000001540176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b510-0x9a466481) 13241300x80000000000000001540175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b518-0xfc0acc81) 23542300x80000000000000001540174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.560{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8F51F6CCC3F089B71DC0218ECF8FEDC,SHA256=243C0017FA4C4D25C489991F0AC41458D9C5818FBBEEBAB35EB5038D30B54B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C0A1F764D70184EBB3F648126D0A7D,SHA256=068366500C81F57C87DE6EE31A03115FF771450E074EFD53E155724A62933BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:34.230{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA38658C7EA6C1D7089FFC0A66EBAFE9,SHA256=887BEDFA9703E91EA7B996959FF0A63D332BB2E2329C5440192896141386DCA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:31.889{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50721-false10.0.1.12-8000- 354300x80000000000000001540189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:32.780{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13589-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:35.685{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A115A88767EEBB3CF7DE5CF474D2AB6C,SHA256=7DA4F88C1B3FB9BCD7027A38448CE3B6EB7C330EEC47862726B04F8C156E0D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:35.435{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F875FEFA41C202A2EA00E46954C699,SHA256=69495839CF492D32EC48F38FD8590EBA9087317E4E85180A31BCF3F9CD6FF41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:35.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3DF08B634A89EC4942DDA3FCD24981,SHA256=4F0B41375103419EDD013151A99574C85729462F1547466ECDB626FD25338B23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.725{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-46287-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.363{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.881{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-18199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.455{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39585-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:36.763{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B0A6F6EEF2F70ADBA11B01C35744D07,SHA256=5B9307351A0BB8E00E5FEA6690107C8517BEFFA83AB2146AD8B0729B6B5D5A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:36.435{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849B7CF61C4ECD1D578DBAEF8985BD32,SHA256=B770FBA4751CE2AFD59AADE5E5009274295BB69BD83D5DE38EA6FACAD32B9871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:36.261{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D07F9CBEAE9D89BCD89196C95AF1F4B,SHA256=D484C5D6963354F949EA43073653964A44E5C88150E43E23D6FE94A2373A3B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:37.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99692A62CF71425C85C0BDF7902B4CE2,SHA256=66C3CA626385B868F979025700AFD1B01FF990C3B189E062E8792B714008BC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:37.919{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2EFB4F8D0301CF1FA5203A10AFFEEDF,SHA256=F6D557A16A76EFE7BD49E4FF446F7341B142D496E7F648BA50BEE4D757E4503C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.993{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-23267-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:37.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14260002173F2F78E30F3893F3D54069,SHA256=55CDBAB2240BC3D37FD8F93CD274868578975D081B36DEA42D4AEEBD7F3B46BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:36.189{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27997-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:35.988{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-53169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:38.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E269E4EB61535E722DB4894DA4F91C,SHA256=0DCD20BF7535AD77440B27490476FFE6094DC00639F0ADE9F5B7478F787DA997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:38.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42750085BE6304B5DE5CEA4FB4EB5E36,SHA256=A782826A69DFF05C3A7E6D4E875BDB3C3A616EAD67F4F71519DB907BE648B0DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:37.289{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-32706-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:37.283{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-1228-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FCC88AFDA6FDD5B1944BAF914BE25E,SHA256=8AA65979FD76A7000D531EC4D5163FDE3348F484769BCC7C6E74C92A2EF4126C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:37.763{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50722-false10.0.1.12-8000- 23542300x80000000000000001445207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:39.308{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0096F07B9635C48D323DCF1512D5BF5A,SHA256=890F4ECCC04B2687E8069AC9FE3DCEDA4C4D57F24A99A8C7A3ED9DE95B29286E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.091{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6625CBCF02840D5A900143BC267FAE73,SHA256=4CDB7111C95DB1E46F2D067FE5EE3EA3F8C3BBA9D1033383C404330F0E0425A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:38.658{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-8431-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:38.414{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-37575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:40.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB692D6CBDECCF6C91AAFD3F5E846AD8,SHA256=EC90FE6000FBEF651825326EDB69CB865D74FF02049AEF12E49AB41991DB4CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:40.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D06DB811C3952DA3903927CAF3408E,SHA256=8521E0FEADC5E2C3FCA9EEA50249221C7315B6EB5BC9402C95B72D5AC4CC3313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:40.216{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05123BC8D6678B330DA2F0B26E56BB3F,SHA256=BCA0C9AF3B9D80C5F389D7CF6468FCDF520B101EFF986869996F29A934F36478,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.910{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-15341-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.538{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-42603-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:41.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08914E62FD7E0BFDB56D754229CE972,SHA256=7205B59458C3E0B60EE5B39A0768C32B166BCE4D6A73F0AAF4CABCD7E6F696C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:41.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4450AA18017C1242005296D261911BAA,SHA256=4EBD6D76780CF09C59B56AD78D639692EF7152788BE41225A927C064C7E9EE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:41.341{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A01BBF6003782D87667EC82BBFB8324,SHA256=AF441519C9946BBA51BFD44EC05BF13DAEC3EB3BBC57B6B24A918B659BCCC7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:40.653{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-47311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:42.653{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13EAD0C233ED755BACDA34D608BECF03,SHA256=1B76AEC06B74D8E699D44DB3F680E0F799E47DFCC2186A34113B594AF6B8BA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:42.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7F28F1D7D8675CCE9A7679888351B1,SHA256=076E7A3213BCAFF26FA4E525A4DCFAD831CE6AADC054F4BAFF35E517B30AB1C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.980{69CF5F33-2B76-6154-CA02-00000000FE01}40603360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B76-6154-CA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B76-6154-CA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B76-6154-CA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.700{69CF5F33-2B76-6154-CA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECCDDA060FF9EDEDD1D629EBA1A91BD,SHA256=BDEAB0EAC9BE36478E495DCC49D29BF356081E49A50C610A73F139DE7B4FCA40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:42.021{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52797-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:41.195{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:43.825{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE24E877D06BCEEF31BADD432E6D0184,SHA256=EB1008555CBDC1A338BD768D61762C845DC92B7A498470AC892F6932C434957B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:43.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735D000AF15C6C36DCEFDD84C1F3CB5D,SHA256=884D966D6FCEB5480F50BE424633939E5B9FD11820CD2EBE4EB475082491E410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.933{69CF5F33-2B77-6154-CC02-00000000FE01}27681996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B77-6154-CC02-00000000FE01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B77-6154-CC02-00000000FE01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B77-6154-CC02-00000000FE01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.762{69CF5F33-2B77-6154-CC02-00000000FE01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.730{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=364A480CEAA405AA1AB1CB1344708623,SHA256=F9096093EECC4C57820EF343FA20EA4A4A0F6230DBDCAAC9587A592E08ABC67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.730{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=459276718A0A5919540D25133EE66BEA,SHA256=FB8A60E9A6FF99AA3DAF47A8EE02EFB944F46D053BEDF1029ED5E3AF21435F83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.543{69CF5F33-2B77-6154-CB02-00000000FE01}37683352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63D619B8AB67212581724101F8B2AB4,SHA256=1B1834A43CA956D922D58CCD0A605A291A76B0E246A222BA2C67F53F804E360D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B77-6154-CB02-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B77-6154-CB02-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B77-6154-CB02-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.200{69CF5F33-2B77-6154-CB02-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:42.471{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29320-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:44.950{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5866197A725DE735EDE9AEBE5E15EF74,SHA256=DF22F2B31F2F87C23F137C97702D9BA525C71EEFF0D1DC7351CFB9A4BDC4E41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:44.606{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F5CBAA33194B59F3C153106326D5E0,SHA256=1A01E8616D0C8C299A04EE92F5A701873E69D189E3434E9D6AF4ACB73E81095D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.996{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=364A480CEAA405AA1AB1CB1344708623,SHA256=F9096093EECC4C57820EF343FA20EA4A4A0F6230DBDCAAC9587A592E08ABC67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.902{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FA06837146DFBEB9BB9219B7192877,SHA256=7DD47290995377EC9A8AB93494C5B530C6C2B880F23BEF07404161E7130A15CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.763{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50723-false10.0.1.12-8000- 10341000x80000000000000001445269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B78-6154-CD02-00000000FE01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B78-6154-CD02-00000000FE01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B78-6154-CD02-00000000FE01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.434{69CF5F33-2B78-6154-CD02-00000000FE01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:45.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DE6AF3B0DBE13BD0F90B064C035DF2,SHA256=A703E560870E8A30493893082219C31FD334A4B916639C415652375BEE1E66E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:43.767{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:43.148{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-57953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.971{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.609{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE61ADF8D020449DAB101DC51C0B6AEC,SHA256=7DB83FA4DA01D5DFE57C9E38C4132B55D1E227792835F64F11DB19A8C108CAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.611{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043DF0E8F03FB12C92EFB2848748820F,SHA256=FA3F0410AB9B157914564DE5C09E5BE99B714609B83903F2A5D25F3CB9C290DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:46.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC547EA1F84B22A7CAAF65B4A97CE8D3,SHA256=8B2F554E1C46E685E136B294C22F74BE11167AA0ED1C69419E9C163A83945ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.426{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-077MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.065{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C039DDA15048C003A50ADFC622309560,SHA256=03EEE5C939D6CBAFCE23E465009078ABC4F1F5A919A31756212A7530EA56BC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:47.668{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAD3DE573143E5704C2C7437FD143D1,SHA256=06996E179C786F045D7297F4A10F0D9AFBB5FF5CF91BF3FE3435CEFC4F22633F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.656{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5534192103CABD31CFAEBCEC090EAA93,SHA256=A453822FC508D6AFD6CC35A14BCF50BAB1CDB69736C56AC4195C70AAF6F70874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.440{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.142{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=529955B9466C99B745CAF13D80E9C5CE,SHA256=788F7D3207CA061050ACADAD145DE85FD3D90FB542BE018821F2F6BACFD7E06C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:44.285{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-3831-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:48.699{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F006F50D21EC0999A7B3E64EDB83FF2A,SHA256=BD397A23ACF393D8319D4D3F04EBDD8D8FD7DBD5DDFFA85ADF0757F149F1878B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:48.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D8815E37D3C9D38CD3DDD74324EEB2,SHA256=88B0AAD118590387182081958214865A8933317A3AD876FA6D2480126780A7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:48.241{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79C99D14DE2C4937D5E74635E5DCA4BB,SHA256=BBDAA7A9E843F177B38739D722E18C076BEDC1BCB965788146671E10C3E433DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.373{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8322-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.259{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001540236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.086{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43303-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:49.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C701A397C9B0C83014FD23AA1BEF5354,SHA256=AECA38031486F2A65281B3329030B301CF705D5B0191E7F4B9206439C9127CDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:47.877{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50724-false10.0.1.12-8000- 23542300x80000000000000001445277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:49.730{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6981D3314D9063D83237D5D370844DC,SHA256=85576CB2C447E2F4F5300A3408617564121A308E89039B0CA82AED30F00D539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:49.461{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11969F52ED33019289A7C9A7C9500EB1,SHA256=6B9813F028CCF1D37B778BE8FC849C500E0E23EEC882ED661BF8D465FB35D8BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.383{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-49656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.462{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:50.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3B34CA0872947CEE3779CF71ABAC59,SHA256=F29D22F4E8ACC36F02CD59A1A655B7C159C0AFBF9EF1F53C96B05F13478BE715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:50.761{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE15F2C835DB1A25E67405DEC5695D6,SHA256=4F8D179FA3EDBA01843ABFFF8D1DCDB00D323B9633BE131745EE0F7F873954BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:50.585{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91ACD55DB65298064399299563FF974E,SHA256=36DBF5CBD7F6FAAE4CD6650CEDB14EC28BAC55FADCB5BB0F0CE484631B7F6207,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.638{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-56767-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.636{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-17764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.453{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13194-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:51.777{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AD1C6C7D263EA5F0A5FF6E9F71C4DB,SHA256=99234158EC80AA05704312A52AAC5EF84A8C1921F32A29C0C0AE3B00FEB10F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE5DF85E06B303FA8330E2A226B577D,SHA256=E291A03E8A488D637D529D47E93BA08D5513BA09786E893AF35DB0D267F6CF74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:48.904{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-4740-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:48.783{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-22722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:52.855{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0773882614153E19736B2E7D879B344C,SHA256=EA522FA25C2A969E346EF315DA508E6B722F07AC45DCF2C86780F36E9CEBF167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A392792763AB66516FBE222D38DA9E30,SHA256=3CAB364CFBF0054C38F719DF6946560EB517598E5F30EFDD8719F0CC300C92E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:50.153{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-11703-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D931D90E689B16572B44B5DAB3B4B51,SHA256=7BB5819BC73471372E545EF1B5F11B4225D71EFD34FBD688D8FFCBE5E272598F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:53.886{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5287B55BE450983B6E75B0F2C3F3D40,SHA256=2053FD931DBAD38F46B03E016DD2BC7AB579308B1A7DBAF9051DE50AA15794BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.047{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-21749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.968{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-21328-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.888{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.808{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.730{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20194-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.652{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-19717-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.573{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-18984-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.477{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-18325-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3037C26D458825693689C4F8B517EAD5,SHA256=A6E450DBEF0EBC24E5F5E34E3BC0A0AFA4987B96ACABEE2A45F014B9CD22328B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:50.499{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.004{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-26267-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.998{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.974{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39790-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.937{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.915{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.913{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-25633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.782{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-25295-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.688{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-24737-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.571{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-23834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.361{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-23119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.283{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.205{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22414-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.126{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:54.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6444EA559C2C1A8B917A0BEFD735DC0A,SHA256=A1471C59DFAE66B0112A48E67B00C573931F9571473159160722229C9AD00F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:54.918{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF970283AC74E53AAE32C4AC9B2EE75,SHA256=85A23B019021A402547BE00C787097EC054E7B4CC118ABA42B210211BC0699B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:55.980{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7924B059B283B58015AC966EC735AC38,SHA256=EF058306478F72A95F79BA621F2F779DF7DCC5D5DC26647B677DD0B164744CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:55.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DEE79E141AF40F2040243467750EE4,SHA256=DD5A2AA7CC89C4DE82FFA1F40F0A16FC0A0D9FD319A4534257D055EA691CF186,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:54.145{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-32392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:54.067{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.987{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.907{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31340-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:56.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7384F2D193A468AC1F0C2BC5B1FDB9,SHA256=CE4CB2D18FDF79B97B5320FD53339D9D5320E0A630C6984EBD06EE531742637C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:53.763{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50725-false10.0.1.12-8000- 354300x80000000000000001540291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.827{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30981-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.746{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30491-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.667{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.589{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.509{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.429{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29121-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.350{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-28682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.268{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-28132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.190{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-27500-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.111{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-26756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.020{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-40078-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001540305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B85-6154-0103-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B85-6154-0103-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B85-6154-0103-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-2B85-6154-0103-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.742{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1F5F89A5AFEDF3C7401DFDDFD90EAD,SHA256=6F35B713D65BB08CA81196D2290677E15BD7B5AC3F5460608B88D1A0322D6E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:57.011{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1991D77ABC466168335E9DF820CA52AC,SHA256=94589A4B522501E6C7025BEE07B0008B6EEADE90D9852E180507388B9BECC724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B86-6154-0303-00000000FE01}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B86-6154-0303-00000000FE01}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B86-6154-0303-00000000FE01}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.961{5EBD8912-2B86-6154-0303-00000000FE01}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.835{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=878D4A7F0D0C0BA823AD8201E2B7463E,SHA256=85A78D5CD25C50FEB1C98D059D8073BE633B579AC5DCEFA8E155EE0DEEFB1B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.835{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8662104EF614D0B98C0D597338A6FAC9,SHA256=A449E755986AB9948CDDCF482C0119C52ADDF31EA160C0D2E5E2DA2F845F10A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.789{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6761E22AAA3EE42D3AFB7A0F689733,SHA256=796DF057A62E4EB5246268CC76A4ACCD30F4D8839DB5948F791D90849663FDB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:58.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44AF17039608E246D963F15A69D9CBD,SHA256=91ECFE088561E97B40A0DAA8E0FA4C597EB70DD2F1E7DA4A0DE0C9C5B9B32F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.679{5EBD8912-2B86-6154-0203-00000000FE01}26845652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B86-6154-0203-00000000FE01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B86-6154-0203-00000000FE01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B86-6154-0203-00000000FE01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.461{5EBD8912-2B86-6154-0203-00000000FE01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:59.851{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606D8B47F05A8834D3256497D6F1C8EF,SHA256=FA1B2F314B21A15462E1609A90B6CDADEAC5F36326FFA1049726924F840890F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:59.090{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2A2AD571B953FA31BA0842CF65D531,SHA256=CE1711B074EDAB82BB73B9D543E3DB6EAA4CE4627516AA15DF704B31A70DABE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:56.358{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:00.851{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC8C1713896AB20D79845D96CBAE446,SHA256=067D0A453E38E22BCEDEE72E9918FAA88C29D978AE2A2E10B51475C50B8CD03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:00.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=878D4A7F0D0C0BA823AD8201E2B7463E,SHA256=85A78D5CD25C50FEB1C98D059D8073BE633B579AC5DCEFA8E155EE0DEEFB1B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:00.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5776B0BB409802839BC68B00765F7428,SHA256=8EF1C59D0E0E4A25C62B9EA83BC28F0D717989876DF74BB040325EF341D0C711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1540992C278597871EAECC9CE765A8B0,SHA256=34AEC658A00ECD79CEEA09DE658B839168398A311A9DB814861C3E5F14100E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:01.137{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F38D50B2E66330C5FC6D701096BFF0,SHA256=3A4694DEA3A57841E68902A8F063B33D796564523648F2ACC8A5E081AA58BBFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.648{5EBD8912-2B89-6154-0403-00000000FE01}25001956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B89-6154-0403-00000000FE01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B89-6154-0403-00000000FE01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B89-6154-0403-00000000FE01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-2B89-6154-0403-00000000FE01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=278BD250B631082A408E4FEC7B21837F,SHA256=17994D17F221F11BF2BD6C79FF8F462BE3C8FF5273F04665D57212A16ECC021B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:58.763{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50726-false10.0.1.12-8000- 23542300x80000000000000001540353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AAF31AA6BF03FBF2D535382A5F9E4B,SHA256=72E31FF695BE33977C5AAC68C28A91F574816856C3A9EFCD1A56922083DC51CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:02.199{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A87572A24BD92295544687632451FB,SHA256=1FF7D22FFADC5819BEE415BAF91FC1D5CDD909441D0F80D4E894DEC8FCF9C0CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.570{5EBD8912-2B8A-6154-0503-00000000FE01}46763440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70EBDD1F11D050865FB75F43FBF3EA21,SHA256=F938E506DEA062A8BDD5CD50E334C51C6EF3B2AA95BB822165245EECFADA0DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B8A-6154-0503-00000000FE01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B8A-6154-0503-00000000FE01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B8A-6154-0503-00000000FE01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-2B8A-6154-0503-00000000FE01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:59.296{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65072-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001540341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:59.296{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65072-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001540363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.913{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D7C8F805B08DDA3192D9EA9CA7ADEB,SHA256=12AA3A87B6A980C9AE4757BABD6EB352C8D45D9BE39DA3F8E5245D7D2AE500C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:03.262{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94368884B0C4E77E10408A4B0172DCA9,SHA256=CEBFF9944F3166703093B0F3D8560D0CB42CCB5ED0B56E5EFBE463F291CC79D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.288{5EBD8912-2B8B-6154-0603-00000000FE01}52243140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B8B-6154-0603-00000000FE01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B8B-6154-0603-00000000FE01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B8B-6154-0603-00000000FE01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.039{5EBD8912-2B8B-6154-0603-00000000FE01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.913{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D66E27553C34163D71BAD23D6935FE,SHA256=70FF4095F5918C0B92DF24A4D6515FB2DF36152C9E2454C22C9FCAE27522FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:04.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6228726D1D4E8C6B82865D816C3F85E,SHA256=E4AB1F11A6C221057E0F04A6EB47DC1EA5246DB878A5AFD2D3411C162AA0072C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B8C-6154-0703-00000000FE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B8C-6154-0703-00000000FE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B8C-6154-0703-00000000FE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.664{5EBD8912-2B8C-6154-0703-00000000FE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=365F4100BFDAF22D1F34C4166EB666E1,SHA256=7BD7406F874087815FC933A52CD8F28E2CF2DE346A0A796FA749C7490E88808E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:05.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0399B92092A1C784CB95F8094D6F163,SHA256=222009578E1911D3CD2C83360B569F4C67C76ADEA80B6107FD0AB6694B74A0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:05.704{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86568A4500AE403E425A051305DB74ED,SHA256=CA4AF3D3BDEBAF648525F43A2942A36B3732E25554DDE55009834D263A9F8ACE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.390{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001445297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:06.308{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24645DE614F3BBA8657720CE6001CDC,SHA256=BF78EEAF165F2EC937391EC5984BB160D9B40948F0ECA814606AE909B822CD1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:03.795{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50727-false10.0.1.12-8000- 23542300x80000000000000001540376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:06.033{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B2E577BC0931EC82A00DD82F98387F,SHA256=630D992B5D6E83C73A233ACF876588F8F2F3A670114D8311258AD80C0A292F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:07.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7BB0EFCE2E35B82A6A853F70EF33F2,SHA256=944B01763D406CCC86A6CED302D05D620B0B5140750052D5C29CDC2B47B0B61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:07.033{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005BD9B49BD2FA4065CBF2F2CBE6757C,SHA256=BF1B77EDEDFFFDFBAADFB0DFEAA635CE331D7F67D3C5D246CB6D20159A9873BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:08.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4620E96A4D65DEF8C40BA013D9EDA73,SHA256=376DE78E28B60619BB4D2D388848BF0C8DFED995C4DF55808781912BD737609E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:08.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9315E7FA92034B9E411252C471A5FE,SHA256=85C447124226F4E479BB50EA3C17420798D815DE564DA153F01262D730B9B860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:09.371{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B865363777812103BCAC70BC1A2FF4,SHA256=06FE672A080998B8A0479CF0185BD8709E8930E0EFFC76F48229001C7782D592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7310473791A5FDCE5B8076D77FC25DDB,SHA256=728900B9BC4AAB9E02F63087E47E3A734C4CD1F64F345C84B2D63EE97F6F977C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:08.826{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50728-false10.0.1.12-8000- 23542300x80000000000000001445301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:10.418{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C609B53001C0030C981348C1565891,SHA256=28EBA1575ADBFEB8EC3077E5479B446903317DEF6993718996C13D60D25B0891,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001540383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:02:10.173{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001540382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:02:10.157{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001540381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:02:10.157{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001540380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:10.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64263AF6EBD5135006D07D373DA2E91C,SHA256=6DA0AF3D1D1C1B07DB5AE76023C726FD03554455CD68201358EF72DD808E33D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:11.434{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFCE08F513A7E840FC5D5855A78E863,SHA256=0408EEB815C9040730ACC1C71E6A66F2B0339DD5625A5742639037B7C69B3224,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.463{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65076-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001540390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.463{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65076-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001540389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.447{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65075-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001540388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.447{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65075-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001540387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:08.352{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:11.189{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA682C2CF20025AC8AA89B0B7E0FF90,SHA256=7DB32ECAD0E6E1AC67754B9429DFB5FDA7AD145C18DBAD393D2F6CA9F98DEDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:11.189{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A249925A6A89D322CC09F2CF1321CAB,SHA256=819B8A97079DDB31A1F7C1187EF0F01CE31E56201E5F55329584DF3D978DD9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:11.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260B79910E5CC07521B2CC143C0C9A9D,SHA256=CB67A25DA9985A434C047346127DF61FD922B5E9CAF1D324B702DC385291D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:12.449{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55469A7A0FB79939A28D9C41C037F924,SHA256=3EC92414ABFBFF3BA49D28683D0AC1D043875ACC7D38B4F703BD4CB3D0F53921,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.471{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65077-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001540393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.471{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65077-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001540392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:12.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183A001BCE69B2149C14B0F7355E8A6A,SHA256=5FB0AF2331A5236C31CC8C1A9A15641BE923D40158CDE31A292B7ED8E78B8223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:13.465{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF58CAE149E7794BC4555CCB15196356,SHA256=1943BBF80D7B71EE657CD42636233570878F09561CC7E62482034E79E5B4A426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:13.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3799F7E9660377A0C8FAAB8FFCBC5E82,SHA256=2B759B77AE598668F1F3E10E21A52BAD7D4CCEED7DB0CA76E32D42C5E2B93921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:14.856{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D99414828323FB989D286FB1D3185C98,SHA256=CD2FAB5B70E33496F22F6AF217BE0F4A83414C6FC5E5F92FF6BAC9ED2204791B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:14.496{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B391E4FB300B18476A5B888D2237676B,SHA256=19E9DE603538A6DAD426E2A9963726969457CF9215A9F8A01121B13C296444D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:14.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DFF392254A08A673BAF3DA013E76CA,SHA256=7BBFE1FEDE5028CAE267E6CBEA37FD8912FD5BA2C5B4CB7B12A99C44CE51E1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:15.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8502D50E720AA31F51701841471DEB,SHA256=6B2152DC87101E2CEE94281C04446C8F55679ED93C2F64661526596F0186CD4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:13.431{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:15.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1768B925F9AB00666930D446FC1AF7,SHA256=9EB059D29BE827CD49406CFAF065C646872D83980D92B9AEFC33AF32D6D6264D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:16.998{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-078MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:16.543{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9379D5D392D8E941311115F2D77F89,SHA256=9C11B6FC384070A92EE70BDE8E4E2CFC61986E0097221A6DC831977992451B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:16.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE10FC9040FA360515E513FA60B213FE,SHA256=98632A5673639A51D04E2666E69912C8FDC5F597D1008092DDC74FFD16659353,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:14.858{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50729-false10.0.1.12-8000- 23542300x80000000000000001445309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:16.090{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:17.557{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5213D7F76D5A58487C91538525D8A1,SHA256=6D006E74EB25EB2A9FA2076B968BBA7DEC9258939BB8A42B6A2A20EC029FF18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:17.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD865B05F8EE3CFC2DC54E64231A6A71,SHA256=80258FA6E6E94E84789F6D3690C7AD363DC97EB297A3CF25594827E84C2365E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:18.573{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF74B5CB16EAD51FAB30D947FBFC8CF,SHA256=BE5C39E2130E68602B0DC6607669F8D42AD774AAA54198CE107F86FC7537869D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:18.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEDCDD0579E8724B83C586D1279970A,SHA256=8427FD14A457BD4210BEA001D7B7477627598EAC35055C390B1C6A8C062B1EF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:15.763{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50730-false10.0.1.12-8089- 23542300x80000000000000001445314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:18.012{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:19.589{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAABAD2299E0A2A0793A015A69B6071,SHA256=6F56EF95770388CE1D63012458FE363025EBF4C22B44C477150559BEF8DB97E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:19.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BF5E9BB24B3619FEA2F9E8E73DA542,SHA256=5C56D409140E94C5531B983E01AE72C4F3BA4360A6BDC293222ED7D2F69280F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:20.620{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B79928ECABA6FC58700C2551BAFB654,SHA256=97B9AF2C448E4D0B4E9749FCC5AE189C5FBBA027553B7BCA1A7647910D42CAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:20.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2938E60F4FCC3A027297DA77872F4023,SHA256=AC017FB67405EDF4BF3BC25F6E3E5C236E4012BF738B600C939FE16F0D6BE8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:21.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6A022BC7D35E097EE792ADB1A91DF4,SHA256=E57E5A2B5D9EB2BAD98AF4BE53D72B1ED4BFB296C74001FA5290B0BBD5496E9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:18.477{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:21.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D718F6ECB9E1DF188B4929BBE1615DE4,SHA256=44D4A62079FC5C7542E80CE60AB8A0C3D732C27010229AF1088CA7B3C06F35A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:20.825{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50731-false10.0.1.12-8000- 23542300x80000000000000001445320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:22.667{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB21AF9675969DC7658F09B8DD396F5,SHA256=0FCB4782BE593B14AB7CE770E46240FC79C174D75D8B5B932F04527F6CC36A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:22.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766FF76092E4A0E3BDB112F415A8DF74,SHA256=1FB7B40D1AA0E11777111D9F38C505E63A9D39DEA04061146E817722D5DC0656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:23.698{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5FFBBDB1C8253CAB459C6E840FBD77,SHA256=8C003FA6ADEB92A8AF0ED39B1F5541EE69FB6FDC5FFAE2DB436C6CE92C508EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:23.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1496CB536EF3D4E88A08EB7E2CBADC,SHA256=88555AFC7EE3AB69C69E650F380311317BDB29720CF5073187DA47290ECD2B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:24.698{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D324C54B67DC3C9B1093FC7A0FD5FDB1,SHA256=AC871DFD463025C5C1ABF384C52D5454919CE99CB698775842B0028E7E15198F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:24.095{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2E180CB295F8BB9CBD8F728ABD236F,SHA256=B0150DB45A123A18481ECFC92D5ABA47B6BDF7880F8018530C1148E982780C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:25.714{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400FC614578858C4D4DC37C9813B6357,SHA256=4CB3539EDE49C043C5105C974239E6BBB921B39E66F6A3A1FCA47850CC8FEB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:25.095{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5BC7656D8571398DDA0F1D042EBE8B,SHA256=ECE23C96D53A82E0BE2872C71497234CAE626EC09DAC83C2C2D9D0637F35EE43,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001445324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:25.620{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xb8db591b) 23542300x80000000000000001445326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:26.807{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A857ADB8B884F02D5B9EED13D82B8768,SHA256=B99362541214B9F896A931E31AA03561ACAE524CAE823EE44A1F1E110D572AF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:24.369{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:26.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF94434C5906F27006B80F62B37CEFE,SHA256=B379E5C7C2CB40E2B905F48191C723FB4817CE6570139FC131846B10990F6E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.854{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833D21D2111D5C4C66380D2671155CD8,SHA256=6416DD03F91D23F0C5658C5B58F273B0907FE2DF8B657A211AFA53989A398643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:27.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D2BD937A0E502031182D25BA8537FC,SHA256=A46EFCCB67378D209F9244D87E90A493C92B427C52FF2BA7F1A52E1B9E1BC4AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BA3-6154-CE02-00000000FE01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2BA3-6154-CE02-00000000FE01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BA3-6154-CE02-00000000FE01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.527{69CF5F33-2BA3-6154-CE02-00000000FE01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001445368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001445367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004a7806) 13241300x80000000000000001445366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0x58a55680) 13241300x80000000000000001445365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b510-0xba69be80) 13241300x80000000000000001445364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0x1c2e2680) 13241300x80000000000000001445363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001445362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004a7806) 13241300x80000000000000001445361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0x58a55680) 13241300x80000000000000001445360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b510-0xba69be80) 13241300x80000000000000001445359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0x1c2e2680) 354300x80000000000000001445358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:26.809{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50732-false10.0.1.12-8000- 23542300x80000000000000001445357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1813F0066E0B701D47AE3095FEAF17,SHA256=9EC68EB3D10DCAE664C8E044D13A9407BC6FAE4C23F5155549C6246FC2758E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:28.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D7FEC6C850BF8501EF876E2AC3141E,SHA256=5E7119E5E6331833B7A756B398C8C00F70F911A3557CDAC06F038FC2BFA6CF1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.824{69CF5F33-2BA4-6154-CF02-00000000FE01}33843812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BA4-6154-CF02-00000000FE01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BA4-6154-CF02-00000000FE01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BA4-6154-CF02-00000000FE01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.621{69CF5F33-2BA4-6154-CF02-00000000FE01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08E4988A7A8B17B247453512103D4A2C,SHA256=AA9F014CBA42BBD22AAB237D2A6BC5914A2AE47DFD6F590510FC49BFA56DF1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1085008C953FAB4DFEEE6EA47AA0FFC8,SHA256=907E601F49C6755238334C29B436E27F49E4EB130CC0F03461C0E1F66B89A0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.964{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1CA87741F81CDE85005761800BA3DB,SHA256=16F6352554ECFE81320AB320BB8641415F409511B27B96F19751525AE24BF558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:29.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF5A02D93D340395A36363D96C9BD9F,SHA256=5335503A80FCCB4A6DCA3D715BD98FD72916DE4D612A845EA91C4DFC6329AE48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BA5-6154-D002-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BA5-6154-D002-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BA5-6154-D002-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.683{69CF5F33-2BA5-6154-D002-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08E4988A7A8B17B247453512103D4A2C,SHA256=AA9F014CBA42BBD22AAB237D2A6BC5914A2AE47DFD6F590510FC49BFA56DF1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:30.979{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E721F5C5A96005BAC52DAEDE0921C0,SHA256=082D8B1BC5097A2FBAA70CDA2050BEA5D0BA0E25BE695EFDFD78BC603B7972CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:30.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0913E8B7757F3B28306E95EDEF3EF077,SHA256=0EF416C48229AE39C395A44A19C59104E3544A5F245DA5BD8498DFA70221FBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:30.714{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D9A32CFA6354845F19F4163D2048C0B,SHA256=88499D4F8E0FA9ACE9CCEE1755DE4FAC83B4FCFA37D7310BC86B4243763A679C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:31.995{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB61BBAB536143A464FE5FA657579A6,SHA256=E8B9A669AAFD7128797C1B706A0FBD2591B7E8ECAAFD15B5AAC1187264713936,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:29.524{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:31.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F025CBDC3A0FB2052AEEC11B4A3320,SHA256=00B3DA345C8FBF5E7625929B6AF301B877AD65025FE0C01FB6999208485A5288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:32.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F1253CEC4F19FA1B82AB0E8C93BC7D,SHA256=5C00F85B84DC247B17AFC932475FDE5B96A6CE6758F301929DE504AE07731D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:33.797{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=353BCC4702D79BF3517C9359B3596CE3,SHA256=B1C3E99DA832A93926DC4651F7425926FE54B63FB35AC3B773F6E90A9D4968FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:33.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A67A57B9A8F3B4444160A5F33A8038,SHA256=8E83D3174BEDB730F2A7C4D7109D2449D94793E255068CEF67E33A2E051A4B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:33.011{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409EDF4D1499D457FFEEF287352FCF4F,SHA256=FB5C229F709510B4595FC8E8D790C731BCB6FA75C0C3260DFFFA262697013CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:34.172{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98270F3D6B6DB604CDC9235E7259EAC2,SHA256=EA83A580F32B8CE87018126F1375FFD5DA5B35F1A20FE89B4D0B3D32753208C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:34.026{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493603006749DAF741C93793D754D2A4,SHA256=5D710533BDCF8267D6C85F65C70FE97445844FFF61CF262ED62C27DFD233F5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:35.250{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C531EE7E3F42EEE1A141A0A3D1E36B33,SHA256=85ECF5E4F170A307A9DBF9EB2AA0D310E8E8731FE3217B184ABC73FC68691679,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:32.809{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50733-false10.0.1.12-8000- 23542300x80000000000000001445389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:35.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B6CBE52661855EFA3E314DD856FD97,SHA256=3FB2B0672C4EF15F76A2893A0C77F203AC34D05F580781DC5835F6CD0FEFBAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:36.281{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E414C9386E57F3BE1B42F95D3A60A076,SHA256=9E33196BD1D62F654CE74275BAA94C0713BBDCDE788CACD4A9B428AA31E5561D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:36.058{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC985DD80B8A59B1A281CF9401A764F,SHA256=E4BBAFD9EFDFBD1F44B39ED95A991F9500D3D5341FC7DA6ED28BB57E4273A24B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:35.289{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:37.516{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA54CFC42FD052116054FA58B8AA318,SHA256=F8C36F7B0A88E3CFF62A3A62C2EE3090543E9D8E43C67D24299331048D049D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:37.073{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4563644C431F08859FC761BA0C10FEB9,SHA256=38D94A45E746FF3DA6EAC7C059A00D9B5D6A326FB592863854DA9CC6CCF73A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.563{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3248E5E0F316969E5AA97095EA13580,SHA256=1FE77EA88A25E5921D39C86B1E8456FADA4D048532EAD49527A0757F4B90157F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:38.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AC8FD719CF700E17E6785F0DAB75D0,SHA256=378C9ADCCEC0673474DA1BE53F02C2186F2E15D406C22642F0E02832D5EF142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:39.766{5EBD8912-18A9-6154-0B00-00000000FE01}6406124C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001540427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:39.578{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA4FAF344940AD877DEA2AF8DF4F721,SHA256=0B17CC2C4D082280CA488D22C620823258389E7020A9631A8AA637EF8E518ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:39.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C513B026B5385A9A401CD2CC8660A07,SHA256=204779A3B5D19CA1C9998CFDB7CC574868C022CEDFB06F27C5E0848C8DE81D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.960{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65084-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001540434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.960{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65084-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001540433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.949{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65083-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001540432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.949{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65083-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001540431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:40.656{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4FDA8D18A7270E144A4D90D0498683C,SHA256=F4FEC5F89D39D4633BE7D1743D74C4941051D9633A9C177E017C6B7AE46B8B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:40.656{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA682C2CF20025AC8AA89B0B7E0FF90,SHA256=7DB32ECAD0E6E1AC67754B9429DFB5FDA7AD145C18DBAD393D2F6CA9F98DEDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:40.594{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6C90A6B48950D76B18DA00445F5866,SHA256=AA78B9A8C4D95B577D108C3DC4181B6BD26A02506A3394A99274B94449D89C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:38.793{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50734-false10.0.1.12-8000- 23542300x80000000000000001445395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:40.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD05508667BD835FF5259E26029E373C,SHA256=81030016E15E14669E0C3190ACA7B69B18FE8F0B7F271ABA27143C038965A519,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:39.059{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65085-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001540437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:39.059{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65085-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001540436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:41.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47B6B02022E4258C02D321A613092B0,SHA256=D6E41CAC3C47007A0E841BD1FEF9763CEF2C6F60B9DF5E8494527A1C157A6C2F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001445398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:41.620{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xc264cb0f) 23542300x80000000000000001445397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:41.136{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9068D6E8AABCF4075AB2506933803D0C,SHA256=E4D8348BDA1FFB45FD3BC9FF2F806A19431FE1D78DC551E15B7CB5A9E3B3AF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:42.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FDA28D88313DDA4E7A7C9B351DF714,SHA256=9ACDE8EC817C23A3D02283CB918FD59EECB39C7F92D7079ED2E4EA52ED170B42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.964{69CF5F33-2BB2-6154-D102-00000000FE01}2656904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BB2-6154-D102-00000000FE01}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BB2-6154-D102-00000000FE01}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BB2-6154-D102-00000000FE01}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.715{69CF5F33-2BB2-6154-D102-00000000FE01}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CDBE1771808E5207A1FAC0A5861853,SHA256=8EC920D3C9687534F54BD3B3739E1D02CACBEB9E9772A0136B52D0E3ED70A6B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:40.336{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:43.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44568860C4A58C0B6D045BAE2251FC6,SHA256=6F0FA2DBCC1F6DEF7C1A5AA4A6A4D7AF7B1383ACB9028A90DB131E2DE1DA93D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BB3-6154-D302-00000000FE01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BB3-6154-D302-00000000FE01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BB3-6154-D302-00000000FE01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-2BB3-6154-D302-00000000FE01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.761{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44AE008C565252FE18A79D3C53E8E214,SHA256=B806AAA5AB162D4D190A422D7FD512E73A523B1A7FE045728E4BC17F79EFEB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.761{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A741E69B2436D66A48D268A344CCF166,SHA256=A018B64C0BAE2DFDC2258170C99D6E9840B96291E943708B72797970CB94C86C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.433{69CF5F33-2BB3-6154-D202-00000000FE01}37363164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BB3-6154-D202-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BB3-6154-D202-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BB3-6154-D202-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.231{69CF5F33-2BB3-6154-D202-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79078869D764A3AEF9B2388B8BA0BFA2,SHA256=7B1F19E9D5C019311B1052AB4772F8257A030D16F0FF1FD5ADDC26D3AAA07448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:44.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA1CD1D3A6DA9B0C6E8E3FA782CA153,SHA256=465455E9F2DC11C63106F1EBF08B8BE3133BAFC759C89FAF6105CF3CC053C552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44AE008C565252FE18A79D3C53E8E214,SHA256=B806AAA5AB162D4D190A422D7FD512E73A523B1A7FE045728E4BC17F79EFEB40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BB4-6154-D402-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2BB4-6154-D402-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BB4-6154-D402-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.574{69CF5F33-2BB4-6154-D402-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.386{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DA35BFE36381AEE0F3E5C383CE1E39,SHA256=E3158F794A93080927928891BD9C412DED88585831DA9A4BC60935CE4ED2EEF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.167{69CF5F33-2BB3-6154-D302-00000000FE01}37003608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:45.624{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A248D259FFD8A6CE7703F23FD142D3F,SHA256=F63EDB4AD11ADE3B2AF7DCFE442C163CFB59E0F4443DEE896BEB9E3A29F3FB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:45.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DD6B3790F87F7D02F79402C57F046E,SHA256=3B27D69CAB525B6D35FDB43B183282BB1BF8159965BB32766063DC896F9D2219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:46.624{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844AA2070915077EFE13B18A8757EDF2,SHA256=F4B9CCEA001A87BF1938C57742F31366A8BEECBFF65EF0EDA868F04D9FB36A39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.793{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50735-false10.0.1.12-8000- 23542300x80000000000000001445461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:46.198{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B024B7ACD153DF426C432246D56F8C59,SHA256=CB4BBD6CB9279FEDA33D236350209A430582D396ADCE5F9C7B3CEFF9AE77FB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:45.999{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:47.970{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-078MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:45.398{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:45.274{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001540446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:47.624{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14522268A99293D506D83A1E43438C21,SHA256=4212EE5A175ED9B7E93B6849C22F040049CAAAD077C6C7C1C0A876122C39B789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:47.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFFD60E9456C186535BC067CF5BB000,SHA256=D60CE9960B65E988296D6F82772DAF866160B5C261530F7DB3B7B68142FFC94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:48.985{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:48.640{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F9D3410A17E1B25302E9A7BC12D6C9,SHA256=8BCB8066438DCCEF15F37C457DABC0580DCB65A889113D7FFE3BFA846D6984BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:48.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974525B59E43C2A78E54D2F6CE966837,SHA256=09C4EFDA61487F4C463A03B4A2E00459DCBFE38BBA50A547D31A2A5FAF901C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:49.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56EB79DF0995C101B4FF99B5170B842,SHA256=90DA532A5979033B0B539E0B455960794B779CBEFA315E1A80D268BFEDE0EDAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:49.230{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AD602396881BC7BC128E3FE6B59CA8,SHA256=8E5CCBF9C7D5F8DAE8AF79F95A91BD40E8E0DE4EC42D3A08133F4E45E0C7B4D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001540452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:02:49.033{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xc6cfd431) 23542300x80000000000000001540454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:50.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F922E0DB76EEDF9E1E327EDDAABECD7F,SHA256=87B9076FFF48D7FBD874917AF344764840B9BC648BBB5975DDDC58F3D73B8DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:50.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96DEC1D9DC4CC077700ECFA7D08027B,SHA256=B3EBC4B9EB1957E667161E4B3AA2035CE4DC84286AB8EDC0BDC5F4548879606C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:51.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B326B1593299401E9ABBCF2020A8C578,SHA256=BC7B7D46B5CCAFC7EBE18A7C31CFF9C3089FDBDEA440B5D35F153B4257490F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:51.246{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E85F769750F0AD46435683DB68778C,SHA256=9534909C46C6F76051EF7DD94B5C356FA46887374BBC24E4E7B6B78A8A64264B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:51.614{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387EB88040802616F7FFD7492ADB91CF,SHA256=75A8C0DB8DB0137305698DF5260800CC5DFAEDC1E603846169B5AD769859F171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:51.614{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4FDA8D18A7270E144A4D90D0498683C,SHA256=F4FEC5F89D39D4633BE7D1743D74C4941051D9633A9C177E017C6B7AE46B8B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:52.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D322ACC597E188535EE054BBD07CB121,SHA256=14012E6F71C62DB0091303B5BE808E4FC42B42814AD32802AD3EFB3D43DE7234,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:50.746{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50736-false10.0.1.12-8000- 23542300x80000000000000001445468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:52.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A642A7A5359FAA5F3488DA12D5A09D2,SHA256=2DA1F5FE9BC8A6A55E579FB50DAE199984C3A56B5AB743623C5E4D25E7ACEDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:53.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800810EA3E8C68F745843E6BB5D92B29,SHA256=51722F5CE2F038115EFB0BBD1F3EAC1243C88CF2262ECEE7157D83FC149D4700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:53.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E716F464BC0F8BEA37881315CC24EB,SHA256=5932C3FA2721B1E09EDC8621CDAE720B4FAC7A34D35F6064F2D8859932D4F3E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:50.529{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:54.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAE05BF70ABEC5C2698A4EED4B48F38,SHA256=AB9AFDB730456479EDBEFD77008AFE5649EEE1DDB59966B8FF62B721BF6E717D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:54.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A04E025BFFD3E1A892795B6FA5DE6B,SHA256=1C5FEE0551CA40D26DD40B31A7DE35EB271A3C96BC2D939630860E89264675D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:55.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79ACE80185672C88FA5E144872F870F3,SHA256=6B8AD2C92547179BCD901462FB7B375A4131A327DBA9EE7CA97DA5EAC036CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:55.371{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5ACE5EF2506A2F4AE5E7A06B0542C25,SHA256=28217ECC37B696F90496E84F9E4439825661FD783953300B89FF969494F8336B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:56.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58668961BE161298A089BBD341B21647,SHA256=8B9E22F6CCB4C137BF934DCCF487750A4F41ECC117BC7886CAF888E348552552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:56.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FC29AD879F47BB5B8FB8D0783C27BC,SHA256=3BB3E8E07A83FAD36EC179F6161CE02AAEA091B0FCA8B10A7603018030C8A0AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC1-6154-0803-00000000FE01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2BC1-6154-0803-00000000FE01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC1-6154-0803-00000000FE01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.787{5EBD8912-2BC1-6154-0803-00000000FE01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5830880AB95659FDA614AAF76B9839B,SHA256=CE2E46DD016FC9981273A39D28407EB65F93D3B411A411E9CA688C91B3D23625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:57.433{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7097B6ADA8BF47A6252FAF3CB59C1D,SHA256=A9D15ACECEA41990DE545CC01D085BB195223E363FA0F54BD152851B29A82EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.802{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F97EEA9E5AF7DF400EE22E66D89813,SHA256=7606E0B99CCB9454B772E231F230D0C8624101E5D8C47173FEC5E4C2CD2D2486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.802{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387EB88040802616F7FFD7492ADB91CF,SHA256=75A8C0DB8DB0137305698DF5260800CC5DFAEDC1E603846169B5AD769859F171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC2-6154-0A03-00000000FE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2BC2-6154-0A03-00000000FE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC2-6154-0A03-00000000FE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.787{5EBD8912-2BC2-6154-0A03-00000000FE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489756321CA026E2E5F6EAC06FC1A813,SHA256=E68129410DB0574107A86753DAC63DDDF3104F08B799F33A10C898C1C5A9EAEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:56.762{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50737-false10.0.1.12-8000- 23542300x80000000000000001445475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:58.464{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF33263EC017C8043B60536B25A6F178,SHA256=1872E30B7698C4D7C419EB54045E180EAD0C9D6003591581C4C2A89AB81A59FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.520{5EBD8912-2BC2-6154-0903-00000000FE01}47044252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC2-6154-0903-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2BC2-6154-0903-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC2-6154-0903-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.287{5EBD8912-2BC2-6154-0903-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1001652DB37C8BCD7E481245BF6DE69A,SHA256=262AC08D5BEA2E0BD46913DEC6784E66899694384A2AA744817DFEA0617080F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3686E0BC7C9293D615DA748498A16EB,SHA256=6C278FBC4798CF59803E53EC93A0FC440439AE1B3F479F86728FF1D33E33BED6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:56.341{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:00.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11953596121BB9757FB17945647D45DA,SHA256=7781B72128B789F7EBE100A63BC930DAC7451A1752632FEAC427DF5C3D250217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:00.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73914047B1DDCFBEC11388D2779E2D37,SHA256=A52D09AFB745C6B4B4C5ABFB84BC8C95AFCFF9349C74BF0C729FFDF37AFA6912,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.708{5EBD8912-2BC5-6154-0B03-00000000FE01}34405668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AD5D3616E33E9292D6C04E9B9D6575,SHA256=5AF30591FC0BBF9FD406DB6A5A86D293F72220D334950B4B7C6697B7E0939AE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.942{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15553-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.917{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15305-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:01.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E251368969F34DC4B396AEC605D5717,SHA256=1C5BABAD58877F2E72F0DD5E17C7331EB844DAE233A986D135FC020A22B696E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC5-6154-0B03-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2BC5-6154-0B03-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC5-6154-0B03-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-2BC5-6154-0B03-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.130{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F97EEA9E5AF7DF400EE22E66D89813,SHA256=7606E0B99CCB9454B772E231F230D0C8624101E5D8C47173FEC5E4C2CD2D2486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:01.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CFE7501F25F1D6486A7F79869EEACC,SHA256=C2C281DCCD0850010800103305DB98F46D85E7FFF17CF4C82166A0B2852F8688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:01.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75AE83D1F66CA4045F3626D5B71BACE7,SHA256=F96EE7443F6CBA29660333CEC50DEA479A85934802C0A0B0E6E9D629EAA6FCAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC6-6154-0D03-00000000FE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2BC6-6154-0D03-00000000FE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC6-6154-0D03-00000000FE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.896{5EBD8912-2BC6-6154-0D03-00000000FE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.677{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166B742B4E9B48D1632C828CAA890011,SHA256=06BFFF990A5713A4EB5E47A125C7C39DB5F18ABDF614C3C5E47718C9D61533A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.999{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50739-false10.0.1.14-49672- 354300x80000000000000001445486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.996{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50738-false10.0.1.14-135epmap 23542300x80000000000000001445485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:02.558{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3C6F5C46A5C652B03755B5C88ECE75,SHA256=78D16A5FA98242579A4AA1A766919A36AE1D149D9AB3D6F54D5E421B304E1A57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.645{5EBD8912-2BC6-6154-0C03-00000000FE01}37643140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.536{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFF398D98712CA9FBCFA69DB58562BEF,SHA256=1B9D79F418A934BE3E8A4BF631A2D1D901759D065017BE1FAC47B705648F155A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC6-6154-0C03-00000000FE01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2BC6-6154-0C03-00000000FE01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC6-6154-0C03-00000000FE01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-2BC6-6154-0C03-00000000FE01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.310{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65091-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001540507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.310{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65091-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001445484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:02.449{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CFE7501F25F1D6486A7F79869EEACC,SHA256=C2C281DCCD0850010800103305DB98F46D85E7FFF17CF4C82166A0B2852F8688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:03.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70924D5B9675CACB0B60F72681C396E9,SHA256=21E6822105B0656B3A6FC5D1DE8259AC1B4B5AC5FF711257FC6929C2AAD32018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:03.558{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58214374AC54BEBA2DDBF11CA80D3287,SHA256=0F559F18FE0B7CABC85F50BC8BADBE8DA077BAB47C0095BE39D08724951BEEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:03.755{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD252E8F09FA99D943D1F64C3D8D9FA,SHA256=1875612118E116B8E011317500CDECA56AF15B44D78260D9569E3D58535F7A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.558{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54250739-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001540529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.556{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-54250738-false10.0.1.14win-dc-429.attackrange.local135epmap 10341000x80000000000000001540528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:03.083{5EBD8912-2BC6-6154-0D03-00000000FE01}50324856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.755{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366DC94C051D8BBB9AB7EE187526A320,SHA256=F4EF2ABA3F4D61A0ABDB86338B8CA2336C0528F07EB78D035147A551DB9509E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:04.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE3BA0D177549A8FD2156EDEF8BC0928,SHA256=501AA42B4A30E774637277F70EE49D05C2F34783992614268114CF6C66A05184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:04.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A666D0A40E02FF25DDC9DB3B9E6A318F,SHA256=AB9B1577B4F0EB739DBD4CD2710A6C0FBF482A98DEC937DBCE7A6A0E48F08DED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:02.169{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:01.050{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001540541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC8-6154-0E03-00000000FE01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2BC8-6154-0E03-00000000FE01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC8-6154-0E03-00000000FE01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.662{5EBD8912-2BC8-6154-0E03-00000000FE01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.357{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.114{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4730DE711948F1C30F971E4B97AEE46A,SHA256=8E2C6B71D6CC8F811C0D27A6AF828981E3CEA3F401D24B22564EA644F1411287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:05.763{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F17D8160455838F9E708F7C94F0B8F1,SHA256=5883E87513F1A9FB40C55B5C9AE3F5333C20A40CF2FF3C3E5CFF94689068C7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:05.746{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=517891D842D86BFBBC38246B55FDB195,SHA256=D7C57EFAC6D2488812E1AE3743C336BBBF173A76D0421362B80460A4FBD0F72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:05.590{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24E4776148AB73E27E696A96492D253,SHA256=A8E8DC44845A226903CA6E535391505D2EB153576BD0A8C300FE00340A3C55F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:05.669{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E043E877F0397AD1FE232BA5FB78FF2,SHA256=46FD639289A81D142CC6F28429470BA820E80A2505ACEB981CDEC431EA24BE45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:03.283{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:02.792{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50740-false10.0.1.12-8000- 23542300x80000000000000001540545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:06.763{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68B49849482D5A7EF4E8F4F330CC3B8,SHA256=015D51708BDE1D8BC2714D6E77AC09CC8A487554949E3E53AB8A6FCAB14BA95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:06.808{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36B5FFA65DC6049ACF1B007887D578B,SHA256=350CD0A4BA8FEC10ABEB7AA8DB0BBE69C25EB42DDED8D8960FA492A021B35BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:06.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C66BD8E43028C83BAE0F8FF58C1E333,SHA256=EB766E1B3085C6DE10E00B4B68A8BB7986DAAD8C46817FD6E8C834180A3B3AD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:04.375{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43056-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:07.763{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D48B33A83C5A0E7496C0E047741822E,SHA256=C5993D203BB48D7EF6A62057126E8E9893172C23058519A260E665284BE3F1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:07.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDD93D6871FA9ED2EFB456BA68B14234,SHA256=7D1842D1E76C088A4E39785056BD74E9479374DF24FB6CF2EEA107862E0FD0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:07.668{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22530FD8292E6B27109EE09FD2BF383B,SHA256=A140E6EA976B370A3E989919B0A76DDF15262BD4F5742120904E696D39AAD286,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:05.455{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:08.683{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA855DF44ABAE1BC47CEC4FCF4A8DC3B,SHA256=CC3412CE14AF63BB42F6A7304E675686AAFEFFE83DD73A6285B6E4085A1B5C0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:06.548{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56775-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:09.715{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538A92392FE38F1B01F635AC985416B6,SHA256=82BC9A88C35799260EC1584648F3D5852F75542E67B60C1E23B2D5ABBDA73712,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:06.475{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:08.998{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E009D902F581DC720C5FD912C0CB6,SHA256=097B54E0658C7007A6A39EED9C03C0D27F700C3B3BBAFF06031BF083B201EF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:09.011{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D02B6A6A9EB8C06F66391B481BD1513,SHA256=86AD515440C97465AD453A2684A0565D838667567E0F64F6117015E2E62B7165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:10.746{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE4038C5C0B99DEA699F6D7216C5D58,SHA256=6FF99728241B835374BBDA2E29E6D466E52D2059E4EA79FF7FB804E4E6E13634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:10.060{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FC780F491AA21FF71C59C9E2C2440F,SHA256=AF1D3D1670F8313B737C94F1E9BBE1DFE187C278D99D28F79712179EC3D01E4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:07.855{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50741-false10.0.1.12-8000- 354300x80000000000000001445509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:07.641{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4680-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:10.090{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21B1E0EED1B407DD0B4F3E1FF148B3B,SHA256=2CC020ACFA3847A4372E0F528A2406C686C264E6265D84BE10FF80934CA5F077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:11.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03079B5CDE1D477A5776DAB82954B2F,SHA256=47F13AAD019D547D516A116B0ADB0ED96C9FEA83501DF4F82D213D1885DB82FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:11.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E9BB108CC56EEFBD93E0589FBE941B,SHA256=1CD7AD1DFAD97A54E8B422D28AD4D5CCCE34D16D5B6AE64CC6AFA8F9C9918083,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:08.720{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11586-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:11.168{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89F54B6C32AC6589A7D87C87E058FA2E,SHA256=AE28C64838AA5FE99C47A6C48F3B93761EDB40929B8871C13E17771FC2BA29E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:12.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE0C744D970CA373C97598EF7D32F89,SHA256=E4406F766478845405DD008A113821F87C21ED3FDB5DC44D705FC3E010FC8182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:12.091{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57255EBEF36BC025D71AF3373E7A7DD,SHA256=61DBAC12E51DAACA74CBE9610E3C57D570ACBC8F809007896AA5D7FF5FC0D0DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:09.798{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:12.246{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5E057563F481F8B987A438928240B97,SHA256=DAD950622E9E52DA3C5D3AF81764BD18499766F6F5E9C4DE20A409AFB5225DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.793{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CE7763D69D029510BEC5461046E46C,SHA256=F664A418A05B05716AFD41716F76F606FFCD2A6554705232B914ED8945491CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:13.138{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63780FD20FDBCD5A8B8E6E75B5B73F8,SHA256=5AC1462FC94A38CCA1190D04B05B599292C060F76A8529F3011D2B80738C1795,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:10.875{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.340{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DD4EF451E0B31D64F3E5106FA37857,SHA256=1BB10A323615857BE871DD4B79C04E4E4645333A7608A7DF08B6EAF04F021423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:14.871{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=64F0C1A8110CD483D1E1891D962C9ACB,SHA256=6EE893095C832F5864063035C8018758182B791D247D9C731187497C8441F8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:14.824{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C5D5EAF94FEB37D6FF168CC6B33913,SHA256=91B8A16F927A1437E1181D9805D5E18EF868B1495CE12E8AEBCBE5909D24966A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:12.428{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:14.248{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC73A3F6BDBC3DCA82E14464FBF3C07,SHA256=EE5121D37337AA59E31AC10B4475D9F377BFD4EAEFC7B7D05CBFAE69F2427CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:14.418{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F4528F04EDC77C546D70A128E6EAAC4,SHA256=0C83C7B59BD787C69EF0EFFC3BFC7D25A56C83D4D482861FD4F03D5CCF3D1341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:15.855{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD387BD4D8DD4D2D66B29D13FB667118,SHA256=AF0BC619A6A34EB3ADF81A7E1E17B9FB1AEB1D157FE0979A094FC3A3053DA3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:15.248{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7102D9E0518D95AFAB5C75B4CAE9BC98,SHA256=BEC82D1B7D2E14CEC509C93C3699C0727C3F65142D7702B3E7D829DFC387DA79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.678{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-52916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.048{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38884-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:11.954{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32136-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:15.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0745CA1790A6696604F7CE6AAD229A2,SHA256=136CD959E7DF5DD0BF07C04C62FB4A8D8CB3BB292020FBA62DFD4E6A4184B035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:16.871{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8208A79288231BEE0245FF4BDE309D,SHA256=5A128EB3AEA1F9087B30EF9B8122D74FA0CF51554D4F32EC26752AFF3D5C6F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:16.373{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDE292830402A0630A2A70E2C13F484,SHA256=1716B4FDA8993BF31F849666BA493F9489032484CD80C2418FC20B3A86C0DDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:16.621{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75D5BCF9330E5EA1F910D2E397CA58B0,SHA256=1D317859C876F7DE7E405374947494AB5AD295032A4520E169016B699008EE74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:14.125{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45747-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.824{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50742-false10.0.1.12-8000- 23542300x80000000000000001445529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:16.121{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.902{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EFE6437D037C92EB99328FE0DFFF21,SHA256=6F7B720B1FB26136C8587FE3D88EFEBAD93D2F84798939775A7B3D3C013CA481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:17.373{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F1D4FED058F2418505718A44B8CD52,SHA256=BE4057CB1C14DAAE6F12B972908C30381AC6FA6BD966F6FCD177351B1FE0166A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.746{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA79ED9039ED1619F6D57EB16389A63,SHA256=20BFE35A92C3326A4B0EA1B6769B4B90B60986D3F2DEFC6CC5BA35BC7E78B382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001445534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:15.218{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52229-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:18.904{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0525511B445A2A71BE25BFFB249A0FBE,SHA256=4780908E2FA896677F77AA1BC7091D588A4180156421589423786EB9942AC559,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:16.336{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-57090-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:18.607{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF96354E622DDEB4CCD90F83855D8DE9,SHA256=4866A27EEA8CF263FFE76B8991A041ADA2ED8E54664B53A4A21C63FD008DD667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:18.872{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88788CB9DB7D6EE40F9BE273273C9524,SHA256=1AC3C42BDE0C387198F023B95996FBD4E2A1A90793132223DB5EBD31608A77A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:18.531{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-079MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:16.341{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:15.792{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50743-false10.0.1.12-8089- 23542300x80000000000000001445548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.948{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=751F603E5C2CC7D625DD1B0DC8345642,SHA256=05371DE0C9BC3F256C7C1BA6EA08F0AF276A51685E0784B815FCAF38635A829B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.932{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2528C65D6EB3D249011024A51FF96F,SHA256=931A0EA8D33B8484B37B6F89D5D98D0AFE3958601D96F512E400153A6479FA88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:17.538{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFAE04761B8F8DD38D7FE42F7AFA11C2,SHA256=B4FA84BCCBD312868CFA97D63517BA99B586BCF0E5BAF1F4595F0F996AFCBD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C81AA4D53BD973DDE9D3BB284FBEF7C8,SHA256=9969A2BF8AFF53834EB2D4CC6A41CC712DA7D3B08A2CBD4E1A2834217AEE81F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.622{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF3430918153A8E77E18409D8770A43,SHA256=9FB4A3F603CFE038882CA0F5446E79B1583879AC485A5DA28391A240C9909B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.545{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-080MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.466{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7159-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:20.934{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6EF0DA109DFDCE092D6E5D4654F505,SHA256=C7AABA167E55FF63819C75DD24E31F23086E5425FC811B631138FB9314762DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:20.622{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B5E2205044D9D2F0244E593E99EEAE,SHA256=E78BCD458E1C81C42078DF1DC22566115E5EFE388AB69271DC32AC26B908E8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:18.580{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13818-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:21.950{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3DF52C531B8002FF87870D846E4A6D,SHA256=CC926A1A78FC6355BB85FE1135E8C01E9626F9F1CDB3669A2649328E3F46019D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.217{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.174{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41061-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.622{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6934356522C0C9ABD22CB4EECE62E507,SHA256=F6B235A985F5D8CEB0007BFFE59DB3E9559EA8495BECC8811100C7FCE0725544,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.777{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50744-false10.0.1.12-8000- 354300x80000000000000001445552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.656{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20422-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:21.028{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14358960BD1EB8037E825D6132C4EDD5,SHA256=072874A56A38B9C75DC41CD50E157E4B6751BE096DD4A3E1B0C3A1A5415927F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.060{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFAE04761B8F8DD38D7FE42F7AFA11C2,SHA256=B4FA84BCCBD312868CFA97D63517BA99B586BCF0E5BAF1F4595F0F996AFCBD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:22.981{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EED6760F0F0FAA50D75E4971408B43,SHA256=24C9047EA2A8927AFC95810C607ADBDCE86F7E562A2C200AB474F7413F8D1A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:20.382{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:22.701{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D266277420B5A84CADDE2AF8FBFEDBE,SHA256=D8C82671BCCD60E89E7E5814567293C35A5FEF47A6F6629315BEBACD12EE8B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:22.091{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A470AE95C81DFAFBECD641293B8AF6D4,SHA256=11EAC2A4D9776B82FCBB987586F1F10E39E0FBE9CAE25754140F0380769A4375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:22.310{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=871C6008D64D3B2A99748DF3D103AB30,SHA256=6D7E095CD8FF5813F93E99243BCE8841B8B35A24DE70471C9CF3C83C4D62DF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:23.981{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1EF239E6CC7423DED7B2A50E1128F7,SHA256=5FD53EC79D92E7BA066D6A2405B5A5F0994362027DE46A7F43C2790FCB5E8F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:23.701{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001D4D9222308E1A86BAEF0F94E1DB7E,SHA256=C4AC4150D2A9CD16B2DED8F7A67AAE1A7DC301F1F65768A4FE11AC8C2AFA5260,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:21.817{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33871-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:20.736{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-26995-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:23.184{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=031FA10728D78CB54A96075694689F78,SHA256=8AF3C14C7A6D2BB9D71095AD0C54ADBDA7EEE9F898C8FD79B47A64D03EB5DC83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:23.388{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36EB508CFC9B1C4B024AB8BC7FF5F61D,SHA256=6A9418E323813FE5CB4E70ABDE9D9A4562FBA4F4A63A3854041B9F6C48DC7E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:24.701{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BCA43A54FEAFBE137D5F8AA0ED0864,SHA256=A5526C669D401D8E727335A283705F851386C0B39C9C72BB760137CFCD099288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:22.894{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-40528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:24.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D3C1A5990363BD9CF63252F6BC3D6BB,SHA256=F4DA27F42915C7BED9E7020C519DC32E944E3009CFD96C69E9D5BE3E1B1A3D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:24.622{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD34FE20AA84F5FDF5F39A413DDD28A7,SHA256=E6F57578A0441A4072E824F3610FC626635CB638E88882EE82EF841D60C9F04D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.620{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:25.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DEE45F79294DA63470629328C1FC2E,SHA256=0193733038DEAA77E1B827D422E6EE8D78B23989293F5D0E905A9EFC3C8C0F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:25.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AE4C78A42313225231BBDCA22897FBC,SHA256=3E5A2A4A45B8A6A77749DCFB4156FCA2F8ACFBC185BAF757C42104B634DDB45A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:22.698{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:25.341{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B41EB3A1506300BC5D1D017103F5574E,SHA256=A395A12D05592C0FE7A3ED91F9B8518C114C30C66A6A65742D98DA061716CF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:25.060{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF12E5D0C6039B6BCC1B3F145271E86C,SHA256=99B3592FD5F7D909640E547C415BD6FC7660342495E42AAD908C539629865F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:26.817{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561ADD84E3F9E8D69DD82DAD4A1EF6A0,SHA256=ED854F42574DF9E4407B631ACB1B32903CE51AA02BA636914454E4AFBE96CE54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:25.048{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53848-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:23.971{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:26.419{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B8AC341DE5B7DAC2349F86E428CCBA,SHA256=6A960BA33D74795F74DE12A07F4240A848AF0FE02140A767EF559E12F1F94608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:26.075{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E203BB058C909DFAF5AF572F093747,SHA256=5CDD20EF79628A91593CBA0F1DE7C312E66A4AA005E9182E595D812F9351D195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:26.784{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFB2BE6C06E09F6F520A310BD6EF9D73,SHA256=DF72548FDFB52D15516EA98B21739AB7654CDAC736531251DDEF5CF98ACCD39F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:23.522{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:27.909{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BF3A8B518DE53EFAC6280BE2EF3B29,SHA256=B5624E26E81048B6C85DF089152271886F83611993C92EBE09E84698B509C6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:27.862{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12985A14FC50037F582F7D0C95028362,SHA256=035E5B71B402BF65921BC4D5B8BB1A3F91768661602EE8B56CDF839BDA1D7DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:25.809{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50745-false10.0.1.12-8000- 23542300x80000000000000001445583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7732ECD2987F80D3ED04B7BD1D25351,SHA256=7B198604605527E3A49DD1F5E9CD96D111793A325AE167B8B9DD53A251334D92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BDF-6154-D502-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2BDF-6154-D502-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BDF-6154-D502-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.529{69CF5F33-2BDF-6154-D502-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.091{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D68E0C1FE1F547E6320150E6933EBAA,SHA256=4E8F4037CF0D11CDCDB1C498FCF6D3E4AB6AD344445E4554D80AA5302540A673,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:25.016{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:23.932{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8404-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:28.987{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5F98B4649E60BCA5730366554CBD74C,SHA256=91E1C3F7551BDD4F6C7A8C4AE33F61762F2A092DA97A3378B06E1099366A72EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:28.893{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76462F35CADA1DA306C0999D1339EA09,SHA256=19ED585AF1F90C45E5C7FE17F934374BE92863F408E1C9229D95D3A234545FB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.716{69CF5F33-2BE0-6154-D602-00000000FE01}6483520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001445600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:26.131{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1525-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.560{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFC448B7E2FA47B79047BC0E8DC060F8,SHA256=E2808EE8A1E1F9559A1211C6823A7378818178CBE816D2FC08EA29916BE0320E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BE0-6154-D602-00000000FE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BE0-6154-D602-00000000FE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BE0-6154-D602-00000000FE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.515{69CF5F33-2BE0-6154-D602-00000000FE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.107{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF017070A768AB3442604615E4068F5,SHA256=287A0FE8B2DE929756C04818D10092A95D2CB90EA28F96D6F388250D59FE9860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:29.909{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA82FF1E7D75C4964B9BA5D0B4462C2,SHA256=9DA844BF01AB5AD7880D5D559ED11661577976D372EC6784E9D7DDE3E02921E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:26.108{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20543-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001445617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BE1-6154-D702-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BE1-6154-D702-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BE1-6154-D702-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.701{69CF5F33-2BE1-6154-D702-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.669{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7914B435190773B3E26943AC6AFD0B73,SHA256=4EE2660990BBC0D00ACEF4953BBBCE618FE7FDF9FA3A0D109D9812AFF3E310E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.237{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.107{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0300698E651517FD3C46F971E33D67,SHA256=39848EE22C811B2C7EA62A06DFDE5125769895B73D0BD0ED32A723AB027CC41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:30.971{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CC914DDCE885BE5CE9663DA0D7BFC9,SHA256=9663917CC3B279176F7568AA6CC1262C838CE5877368731E13C6CB98C3CFDB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:30.096{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D90EDBF07DBB00FFC5FDC9430D8930F,SHA256=F7A3EDFC3D004DD66551AFBD34CB416FE26CD3F3982C69B9196DB121DED998B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:30.825{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F424D9398AC33FFD4AF633225311D084,SHA256=9FA13E3955FD8E94244540BA203E678B00CC38BB75C460BB39C7A0DC517D919C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:30.153{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90548443075C50AECBDBCBD81B4FA3D1,SHA256=B4D40EE218422494C16760CA8DA6BBDAD0B61FE53D91805423757C796199DB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:31.253{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E0A9102E2D7F74BC2AA04E930D4CF1,SHA256=6387EB05A6D40D41163DFF36B2A72358C3F800E72852BAD3770602A43C60976F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:28.309{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-32793-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:27.219{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26819-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:31.888{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E79215A421C4F3EC0CF7297B7FF1C2,SHA256=DC2A1266C134B5D996640E7AA6CA585062A69961FCFE84BF7AE868543A63764F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.407{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21321-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.314{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-14787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001445621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:03:31.423{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xe0140a5e) 23542300x80000000000000001445620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:31.169{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC48BDCE11DA67061E363609035B72D,SHA256=F069288B5CC4B361B3E2EA651D80DD4040EFC40AD19DB2EBA51CED8D102E5D81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:29.418{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:29.406{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39029-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:32.330{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC01D8139959A051978CD04CFC7193E8,SHA256=981F759B2555042B4655DA06DE5ECD5B2AFB112AD55DC488B5C0BE933976AF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:32.190{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE4B3C977CD273871D6283BBAF02853,SHA256=CB822E1D39480C3FAF56454193E8FC4E0712BE7D629AEFE495FB8AF9A8752AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:32.966{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1263897A89E8161279DE586692F7551E,SHA256=F0F7D207835C5E3426B3B4DA742945AF4D10325DCE3EF76459F90CB8E19BE897,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:30.518{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-28124-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:32.185{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215C877549F1ECCF37946AA63837F8FB,SHA256=649D4FE25587F3B9776A3738076C20D38AD569356F5802C668B04B1545241FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:33.799{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D7D067CB0D4AB7493401DEDEB32CF8F2,SHA256=622CE93A0AD9D89620788F6245662C7D807BBEEC9270E5D1678DBE8104A8D5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:33.424{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55288640F25D7720B3C5308C688C8BE,SHA256=ABB7166EF9123C5C9386AB839DE907F9B6870F965E736CD1A57F09727C5103E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:30.564{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45408-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:33.200{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708A02E61F97AB8B49D26C915D337620,SHA256=661C77C5AE4D45B83629712859B09CAD23768111FF5C7641A4DCA478C9711525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:33.408{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A4A10C85803E9C5278AC320C6F04F6,SHA256=2D95D575E9C7D4600A46857DC0538ED05A5F21D47BCBA373D936E60497E09BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:34.658{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11953CB074CA13B458617FE7458B9ADD,SHA256=9CB4D91175E22DCF447BC7CBA2F1E74823451C2AE6A3652344894634F942AEAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:32.674{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-41551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:31.825{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50746-false10.0.1.12-8000- 354300x80000000000000001445631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:31.595{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-34854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:34.200{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63699CA4F0C3FD352464719FFBB84690,SHA256=621CE8DE12CE24FC33E7B28E73AA233314177514AC2AAC465C7630C20F80D197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:34.612{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7713799384EB6AF4A2A8917A1EF43F05,SHA256=DA4080AACE14EEC7EF004039351A9ACC44CA7E5A5314DEF26F76641A0151891C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:34.044{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1074BCA90000D56C24F04D09BE722ABC,SHA256=8BE1C02C82746BFFC848CF95745A86599EE4FD12461BD5AF74EC09A19AE68614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:35.737{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA698D24AFE902DE4D22302DECA7AF5B,SHA256=EC0B0F260571B494CA0646D60A1840E5B7B8935D43B6681A7DD799F1549CCE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:35.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05825F190C2340C8516D182DC62475A4,SHA256=5DEF59379FACAE095F0AB259FA1927ECC8CCD1668E05B4D9CB05434A3158F45D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:33.788{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48059-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:35.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A0F0969CE3D4A1E80B13B1744AF6F1,SHA256=9916368131C913637A09E04A2DC721A29148685DF8EAF97E177FFAD2537EA6B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:32.764{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:31.640{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51470-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:35.185{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E954C3C2A079CD2DBB830A664D584BF,SHA256=44AA1B49752BB94820AB86F8BAD3A361399F2CCB13D020D6CB0331008275313F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:36.815{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C1AFC5073E22C9052B5190A3EB6B3B6,SHA256=1812E407A3C718F107EC2A9355277FFA3D60C319CEF2BE77EF87B547E10C29E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:36.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206697C3396A26F295832915549D069C,SHA256=B2A621585D4D65EC05F2EB53D408D2B0A69303CEC92E256449E047E35D027E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:34.895{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55231-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:36.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAA17179C1FB9BA5C1FA87B251B4CEE8,SHA256=8317A24B0BE403114CDF04C60E7B30BB2ED909817CFF1F12EC3C2910598D0AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:36.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C995B1352A0AE639B7193F350FFEE57,SHA256=3546EAB2FD434F00AC19952484320AABA1598C57199E9638C23BAF2E491E6593,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:34.496{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:33.936{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:37.971{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B955D5630960BB17DBEC7CAF2D0870,SHA256=455B1D9DA192365845C5CB2247DCADB19FA7DEAC96C98B827D616D68F46E9D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:37.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72ECF25D5B017E1842E04A993BD004C1,SHA256=404229B2B3A06171B933474E99167A5EB9B52AABF594E05B2832313866A65B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:37.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F3153CD070B4E01468EABD4E3BEE401,SHA256=75F2803924E6EFDDE49153F9E687D21056FBD01F0CAFCD11A4501A07151B6EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:37.294{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3B36F0228CCE1F71AE2E2878E6D4DF,SHA256=60EA2312540CD1E2E8F9BD2CF65727369D7736B5716C2F86A3A787ADA7E40D08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:35.048{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-11384-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:36.138{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:38.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63C57A8268AECC05C3769524D6BCA6C,SHA256=EBF4203B0F210D36F2A299852BB68B35BFB718BE913BA566562FD8604DDF2837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:38.435{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65D3006C9C3472310F99E7035AAD3F89,SHA256=8A43FFEC6DD76CA9CF72F39EFFD191C7B984F0CAC18905CE712841B3915A9088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:38.310{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0976077E45B64735392D5684C086163A,SHA256=004EEA99C7EED776E6DEABF464ED230BFDBB924141FB210AE3EC37D5F4546D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:39.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76822C93B2CB4097D7A01465AC363C50,SHA256=2C2C3CA77FC030A0F27A84903E03D97014CF1258C6EA86BF75D0ED4617CF62F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:39.591{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399AE193165E0432E02B0A723C1C62C7,SHA256=B6791992EC6B4218B2308966BEB2E276AE32FBC0366B4A02AA46947A29C6D7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:39.326{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A94475065ABCF42A61CE1CB354A21CC,SHA256=1E6E243508168851B2A3FDAB5A75C8062A2AA8662308C15D16B1C7E87F6C0CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:39.049{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91886A8E05F788ACA7B0B419A7B685F9,SHA256=3443B6A2BC38233500CE620EC14EAA6752D9FB62706005B3983E3949E2BABDD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:37.064{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:36.824{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50747-false10.0.1.12-8000- 354300x80000000000000001445644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:35.980{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2950-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:37.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23613-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A725A8299AFDF654FD4E66AA5DD5753A,SHA256=395546262EBF78B280A8461B68A35FEB2C6EF1943911E3404E6FBF7551688512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:40.669{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62348C31245A168BD8B278F08E77D5D4,SHA256=39D875249E70A4C18A01BDB98D52428A5F3B43F26A7AB6D0CE66E62C51B5CF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:40.341{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5887A0FBF790CA4BA7F4F75D530C45,SHA256=9CC8EFB78BBF8E3F45396E2F051D3035904499119C50DA4F5A867AA4EF8D0555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.643{5EBD8912-18AB-6154-0D00-00000000FE01}9084604C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.190{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23E26EFE0D9BD5B987EF4EAE2DA193DA,SHA256=AF73EC4AB493E5A0DCCC99F0EB2D69C22A6D416AE94CD63E63C578413D0A870F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:38.147{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-16168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:38.389{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:41.752{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0911288031DD582C634C31369339E468,SHA256=AB2E1D9075267C118BB9EFC995EAAC887D4B2375F339ADA44974E03B0EEDCC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:41.748{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9BC68D3945C26358F0100BDB980BEF,SHA256=C1E7923CD0617E6093E4DF64F027E9B92BB49E0BC6062BCC12D4E3EDF9C9EAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:41.342{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDC12AA900BB53263DF1F9848045EC2,SHA256=167B83B1C4BD07041E65C05C79B1AC4EADE260465356C2E31A0DDAA9B1B85FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:41.408{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=706DF556D89F549EDB27EBDFD79FA509,SHA256=820FDCAF5115C3092747B5CD04B46EAA5CF6AC4AA367D393E35C026A2EB99092,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:39.298{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-23253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.340{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:39.620{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36156-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:42.877{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62B2481DA4C1556E44094C63124F443,SHA256=0DCA812DCBFC2C99A5225EE1805D3C8945003E357A7852614E3DE25D926CA346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.873{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5774B7FA5A3965FCC366C954AD4A4F08,SHA256=842B63F68BE08F9A3DA78C838BF0AB4BE4799338F0F858D064391F40EFD2DDD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.873{69CF5F33-2BEE-6154-D802-00000000FE01}22723476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BEE-6154-D802-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BEE-6154-D802-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BEE-6154-D802-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.733{69CF5F33-2BEE-6154-D802-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94D8A2C5DE25F75FD0D1FC677F108DF,SHA256=837D070BC6659514DA0AD6882BE40303B3CCCD915C17D830B6249E793DAE2A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:42.487{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AB6CA10A6EC028E60492CA599E34CB1,SHA256=23BE034A727181EA2139773957DE5063651BB1687142D01685C2DF422A74CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:43.877{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31D32161C7B8AD03A4467C30EBB75F1,SHA256=D3717ECBF354C9D8FA0FBCCA7990A8723B2F45459001EC60A878B1B585701AAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.560{69CF5F33-2BEF-6154-D902-00000000FE01}1004300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BEF-6154-D902-00000000FE01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2BEF-6154-D902-00000000FE01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BEF-6154-D902-00000000FE01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.405{69CF5F33-2BEF-6154-D902-00000000FE01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.373{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A44F59BAB72F510D9CD5120E7655617,SHA256=89537559D282B980D0831AC4135713EAD5896322DE1070BCF657EEFBF9013E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:41.842{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-48118-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.719{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42043-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:43.658{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C27BEA6AD59DB9A7B9D160D23A05A3B,SHA256=476CBEF60EE32F3CED95CD47842997E18D9116C04D1C9B341AA18FB4B95831BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:41.475{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:40.376{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-30012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:44.940{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E23A7F7736654DE0056BA9AD93BEBB,SHA256=99A4526AAA4A7A25FC0C9652F6080F6AD0E8D780A53C8FD2A3394D5D7817B256,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BF0-6154-DB02-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BF0-6154-DB02-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BF0-6154-DB02-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-2BF0-6154-DB02-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.435{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDA9CA7076A476ACA4301D9771B3607,SHA256=4E2089781CFC32A6C407FEC7CC65E530429659A750B35DF6D9FEBE495AA195AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:44.908{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5549E63E74DCCF7A3D544BD1BA67216,SHA256=E538A36EBBFBE7D590780C1300D2795410BF87C2C682CB6594F8F9C9991B8507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.294{69CF5F33-2BF0-6154-DA02-00000000FE01}12003708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001445702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:41.934{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50748-false10.0.1.12-8000- 23542300x80000000000000001445701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.093{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B96FB1189D008728B55BC8F8D399A15,SHA256=5345DADD5884FC20C49F172659D110BD25FEBA39B3B6470E64691F61DBDA2097,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BF0-6154-DA02-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BF0-6154-DA02-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BF0-6154-DA02-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-2BF0-6154-DA02-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001445720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.631{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43584-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:45.451{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64793D147730D2632CDE5BB6416E041A,SHA256=F52A111CD2BE10593BE5B93F5D6FEF3D16C37106E9B17324405A4D39D49F4FBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:42.969{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:45.170{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80EBCF589D507094B020A3E9646241E3,SHA256=4FA99ACEB3201A44DC93F4568DA0A2240271E3ADBD7780E551B43F62EBE61716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:46.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2840C3444C94DBD6700452C43BA075,SHA256=C46D9D30EAEC940576E0E42E1EC76C15DA93C84DD39A44DDA0B9EC5099D97FEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:44.233{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.036{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8279C097B86F6A4A6510DC836D41476B,SHA256=78732DCDA72491F25CDBAE427F1EFA65898CEE99B8DEA730091F8529F7A93CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.020{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.004{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7D03A454866C5424825BBB067E3CD8,SHA256=AD7D8D714DE68E7B7A3F3A65DF6013309C5A7E26887E90510AAAFBD801F4377C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.800{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51040-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:46.248{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=301B20ECA0E584871B1F1ED8D1065E11,SHA256=178D1859DD0E82895A20B3C2DE45A6D9F416397A1F8F9F77E33E95305FB1162B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:47.545{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8E776F79417CE3930BCD3AF91B2565,SHA256=46E771741C581484EA97DDE92A042C16AAB30A25412E5DD02F20CAA9BAD4DDF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:45.295{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001540669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:47.239{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8723FADAF81E0F7E717DE0B4C9A0B4,SHA256=BB406DFF93BDAC5C13AE829852DB47D6637B1E7C4C50E1599EE4D49C312AA455,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:45.955{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5429-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.877{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57643-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:47.326{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4ADC77B64261D30EAE02DF2969A8790,SHA256=32CE9604BA696F0CF48CBFC5864C5643461B6207887A7876BBE0B60718F6981B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:47.161{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=467979886A70EE74E0CB5EB8F3F5D35E,SHA256=8F1075BB056E3794CF1B106289E211A7989306D701109371BB62C288B6097600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:48.576{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1071DF9ABCEF0815626C796598D5F46,SHA256=ABA6F2C93C33DC00B1D86509419D2075B17CFA9A37A89D9B4D0C282110C2B781,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.486{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.358{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:45.359{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8339-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001540675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.520{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.520{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.520{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.364{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9A0AB60007D72838961EB9B9466D1C9,SHA256=1ED9C66CF65A9AA848DFB445FAD546DDD9F677C34BAB1729A3B1F2FAA9BC4580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.270{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A581AE8B0BB4DC4E6B07423643422D,SHA256=C5B08BC0B3DE9577E03A7A4E813739A7E6A96BD380BE2A923AEEF3E898B44C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:48.388{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E02AA4125E0E9BC594986EAA41B9D40,SHA256=FA004DFE373DF0572727A5F757C40E629D1745A1E41F800706265B3E22C10E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:49.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBF96B240F9613D2CC0F9D7E9BC2A5C,SHA256=346F118D3DF531A3A5B98A0877EB9AA529C0792DAD3730E0F0CD24773583AAA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:47.704{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21054-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:49.494{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C439CDBCC3FC21EA147759F27BA510,SHA256=8F87501FCCCC1B4ED511AD6E503550A66C21DB6D1FAFD6401FFDF01E3281A137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:49.494{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-079MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:49.272{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F993BAB1B55C6ED4F6674B1029D94DB,SHA256=DCD982D0E0B2AB2E943A5377F329CD807B7D0DCBCC4655A58E1FFE176AC2D3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:49.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECD9B1F4CC6890898C008E6D7AB25E84,SHA256=AE4DBEFD95589FEBB79B220D7C0FA0929B2D1766E9A58832365A0C3CCA16B946,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:47.840{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50749-false10.0.1.12-8000- 354300x80000000000000001445730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:47.033{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12092-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:50.607{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D22472057ACC608138A0DC3833ABA4,SHA256=CA5FEC25F092D3DA76EE3F5664BD48024FF74C117646F31EF82332807CE94D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:50.958{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B615C26D4768C852185190E1CA1EC4DD,SHA256=8BB12124FA417241734C965DF5514FAB7851544FC441DCF639C105B022EA4ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:50.493{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-080MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:50.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068BE877A1028E5DD022ED4B660D8F41,SHA256=C82767EE52DA3B72219D2C8536B78464B34D328F8EFAF95A2A4E082D373BE142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:50.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E54046E58B935EB806C094746F0151CE,SHA256=C6A453DF3955FF37873E49F544A982A85FBA7C56B56932809309DF6847B87E7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:48.112{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18337-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:51.717{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0E920E6C63D32478E1644F8A68109EB,SHA256=453D697D835655EAC89B8073B4078F369DCC963B861E4D8C122D0CDA135E8965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:51.623{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E89F291BECCF08FD7752F1573DCEBD,SHA256=C781096B25B327C63D3973E1819EAF2AC4C54AA784F45FC794D118AA584A3B93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:49.050{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-28447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:51.508{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12A135A817D09D36934F32946FE3EF2,SHA256=8A7492EDF82D139FBD9F453FACD60EDBF33ABB40E2C229F1FEF7DFCE2A60B635,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:49.189{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25120-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:52.795{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C6758FD1987318F59CFED0C4676A81C,SHA256=06A2B7B1C473DA2007DB39534CFC8E77CD8AB4D346058968A3CCAB81037FE8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:52.623{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4F676AC66239BBE06361A29DEE49B7,SHA256=B7ACD4C7E855D06BB36A81BA01BF732E73C7BB0EAC010B48D97DC185E51E5D0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:50.270{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:52.508{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F4C9CA81E8F60E74C1CAD4B2492737,SHA256=B3EC478B8BAF50C29C849252B8A0D1AE95270806AF2E701B6D0E258A4C113AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:50.298{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-31996-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:52.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1331BCEE62BCC4131F05E549BECAC7A1,SHA256=1DA7DBEE9DC2E952E0B1AE121CEE7E9E10DD73D05CCBB6E1838010957CD631AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:53.920{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26329E69B066963BDE3D7F8B6FC5220,SHA256=A96B9C72CCB2DC7FB9ABB71E76CE82ECE6031FB41A4B58261A0334083629E389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:53.654{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596DFBED193AA6653463241978470FFD,SHA256=79A06D8379DFB9CCDA9963F8DED0E5A3EC02A12E04BD99B3EB03C19560361818,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:51.350{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41064-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:53.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9533CD392C42205DD2FB3DC9462F59B5,SHA256=8BE7A47625792F7F5700EFA65D9F54B23E7306284B5219F8B76BFD86433FD9ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:51.423{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38873-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:53.117{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DC5BA2A7F95DBF814477E7910F80C5B,SHA256=B14E76A51D507F89932ABEB3CDB036302FD936B54AB091FE50EE74CE69AA6724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:54.764{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CD9F38C0AA1DB4251B8520799FF91D,SHA256=3530E691DBA610B8875E83CEF40B42C4D5244C0537668A8C0BB7E6B5DA231833,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:52.316{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4CDC5AA2D9C845B2CB7D24DC55126A,SHA256=9F79475E0C885B72FCEDD18A377B033F5F6836BF08744532898D0237169115DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.227{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD4EA7AFDCBC9EF3630A86E7C69785E5,SHA256=F302B946D3EEA951A607186AAE0CD621CFF73BB0E0CCEC680D1401F97C6BA589,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:53.573{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53071-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:52.439{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46774-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:55.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D788E87C9AAE40B6BEF4554E2BD4C5C,SHA256=286F4643C87BFAAC1A63E11714574410CB00BFB2085582805D7CBF6DC813CBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:55.810{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE054DE3974DDF5461CE58A11D2476A1,SHA256=B3511118F84651F1EDF350E35490D3948387D7DCDCA208A72BCC53790BB65417,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:53.746{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50750-false10.0.1.12-8000- 354300x80000000000000001445749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:53.641{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52727-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:52.516{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:55.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC0599D6D9DFE20FF17A7EE9A233421F,SHA256=EAA8652569F66D04AF707A18B810AAF2BCA2EF7AB7E6AA9BE4D781102C75F69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:55.367{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F295F54E62E29F3D84872F80ADCC9FE,SHA256=CDC3B017F1E44A27C52A67E4A5D53C11032BF7A8EE8A095171039C7BB39221C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:56.842{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE3F852079EAACFE5EFD10CB5C18669,SHA256=9552226C2627D315D46C0A88FB93E02EB2C821E258E3D8A9286576303C3C7F14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.707{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3052-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.692{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59109-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.660{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:56.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0C901760A2D66FC75FBE514E560EBD,SHA256=44CBF0379CAC2757E0B780FB9B5DF981F1145655F5D6CDAF131230AEDDFBF7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:56.492{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAA86A0F6468A49EF8C77D1EBD654486,SHA256=8AD163961D46AD0200BE13A6196386574DBE47BA5832041A67C95AA723E306CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:56.232{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66161C096A886B6ACD5A7E225C703993,SHA256=9C9A76F593071D38AFD61098492381744778F08726C23C66BA498B2E5D21242F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:57.842{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961B96893D84F40FDEFE4D0AC93978F5,SHA256=F2C67B0C69D223C70089F89560689D4CFF6D3DBB3608B4BD47B6BC4E3D370AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:55.821{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:55.807{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6301-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001540716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BFD-6154-0F03-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2BFD-6154-0F03-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BFD-6154-0F03-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.619{5EBD8912-2BFD-6154-0F03-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.570{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1466A5845F03E93E975348FA331362F7,SHA256=B85E09731DF259F38AD31B337CEFB4352131ED177F3584FC14096CED348ABA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F557D3FB587884496202CB2EFDC860,SHA256=A93672FEC9F2A8B875F08733E39E1B744311CB90093C9A66E80AB168313C9B7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:55.938{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:54.845{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1289-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:57.295{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E9370E5B124FA94828A15A85AD983F0,SHA256=8D3B55A1555678292E0D1CEBE0B61A4A221289664B6BB7B317A41A8FD0288BE3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001540706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:03:57.445{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xef96c7b3) 354300x80000000000000001445760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:57.017{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-14810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:58.842{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4639B957379DF73CF2E48210D83C1CE,SHA256=9EDD5F749EACBB29E8165FB3F4BECACB82C9F865D9DD844F3569F60D10661FD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BFE-6154-1103-00000000FE01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2BFE-6154-1103-00000000FE01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BFE-6154-1103-00000000FE01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.806{5EBD8912-2BFE-6154-1103-00000000FE01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.648{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB4351661653AE0885D8E5FFDD4D0C0,SHA256=CD847D8108ADE9BC3448B722776D345DD4174BF4225D6935043D30A3A64734FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3FD3B41097EDA8501E8A5EF609D3EF,SHA256=B6D9EB84D84AE1D924B9BED64CC635D1DE4BB9F75C8D3C922D12C268E2DBC99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:58.389{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=919FC8B9AF6009719C13F0659ED61C0C,SHA256=2E027AB2F8647CCC3DA56CEBE0D81062712B3422C950DFFFCE35ACE55AD1B6AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.539{5EBD8912-2BFE-6154-1003-00000000FE01}13005032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BFE-6154-1003-00000000FE01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2BFE-6154-1003-00000000FE01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BFE-6154-1003-00000000FE01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.290{5EBD8912-2BFE-6154-1003-00000000FE01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:59.920{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1808B9772F9792B9A620EF2F4EBAADA,SHA256=572890C7DD15351199C07BBFAB05FB7DE71B0EC18847988E89BCD63C0A5772DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.038{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-23948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.959{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17810-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.455{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:56.912{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-16777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:56.881{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-12108-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A82244D98F07B3073F1EF3F25AE8A6BA,SHA256=70A23DADF8F59393E4E3DB3743035DC5F17C4A86FE0997597C01C7BB109A5417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03494BBC09EC9342511D5F08D248BB76,SHA256=07BACB3B54A8897CBD023A42EC6A169BF3834B36308BA63A1EB8B34EFE2C07A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:59.514{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C418499E0772DCDFD7D8DAE24C0EE2C,SHA256=987B8C60DFA32974F5E547435C00C8AE1D52F7E40B05BAE6A01402A80B86EA68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:58.918{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50751-false10.0.1.12-8000- 354300x80000000000000001445765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:58.109{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:00.936{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF772E9C082F98282422FBBB6A273DE3,SHA256=343135698F8719729FB005D4AC51DC1DBDFBF8F41E3CFDD99715651574809B5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.038{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23889-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:00.805{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=241DCB095B4A122B99396EE2785B3BCF,SHA256=56DD0622C9F49734400B100E22585EEB1939AFE02DA2B37748A922027574023F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:00.602{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8731F4A6B4F46606206B0CAB80ADB086,SHA256=E7AF1A1290A40E86465B3F2E9EE13101731E5BFF046E8929DE02D6510877E0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:00.701{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDA0885E3E4F26CF2CDE5A8D9C162C61,SHA256=E0E5D7CB7967FBB28D040BD5A4B4105D354998FB4A46556D51A9C374CEBBF360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:01.967{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EF5A4F84E107E4866E9FC852822DD9,SHA256=C472911895135558EC20F8BC521F6987541618C52A188574F76E7CEE7764FC05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.315{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65104-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001540759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.315{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65104-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001540758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.116{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-30562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001540757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.680{5EBD8912-2C01-6154-1203-00000000FE01}50722224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.602{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCC1A0C85CB00EB90969047617156C4,SHA256=1FBC56E1162FAAF4A77181121C0AADAC9A4F612B90BD2A62442CFC4D4C6184BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:01.826{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405BFA993E2147EAADB48F0E49F7AB3A,SHA256=64BD44916FE693D0ECBB8A22B383083DDDDC4D3A768D2E08548F9FB0AA98D4C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C01-6154-1203-00000000FE01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C01-6154-1203-00000000FE01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C01-6154-1203-00000000FE01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-2C01-6154-1203-00000000FE01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001540779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C02-6154-1403-00000000FE01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C02-6154-1403-00000000FE01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C02-6154-1403-00000000FE01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.884{5EBD8912-2C02-6154-1403-00000000FE01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.633{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900F52D23C6576DA44BBEA8884AB48EE,SHA256=6CD027D971E81F293CB140144FBF6794DEDBCAF3485BAFF4B13B59C1D7961A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.617{5EBD8912-2C02-6154-1303-00000000FE01}58165376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:02.904{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F12FFCAAE9323649143CEA2FAB6FE83,SHA256=2CB97207408A0C7097138D763C9E4708B266D35026249FB9FF7336D4A95E7186,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:00.423{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-35784-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:59.293{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-28714-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001540769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C02-6154-1303-00000000FE01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C02-6154-1303-00000000FE01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C02-6154-1303-00000000FE01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.384{5EBD8912-2C02-6154-1303-00000000FE01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.008{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39C0BA36DED0A5D5EC63007BC2DC1A66,SHA256=54008A2FF6C98F623FB766A03EE8B98190F9665E0C7652BA203D88A53FD34891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.648{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85667E9535E26A82BCC82722943E573D,SHA256=6FA442EA7030E11F4F0F6146E318F2F50515CC865343A72976004622E1354026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:02.998{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CD2C4A1C4BB701C96052E6661379C6,SHA256=AEB7B047C5F020EB65F6FC84C012AE8C74D01997A75D8F4077A456382D80F88D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.086{5EBD8912-2C02-6154-1403-00000000FE01}16564300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.086{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36051BDA65CC0BA1133ADE3E4C7D3165,SHA256=5B3A933D9251C443F8FF96FAE938CB18357987EDCC7D743C38307CFDC193B5D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:00.312{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-37760-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:00.242{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-30436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9364FCCDCA8B23F4B66DE808BF536C20,SHA256=D9C37A716C037583C2CF4E7D2F266DFD59C79A58BD006BC43F51B633AB3B77AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C04-6154-1503-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C04-6154-1503-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C04-6154-1503-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.649{5EBD8912-2C04-6154-1503-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001445776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:02.612{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:01.532{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-42729-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:04.076{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C85E2D6679228DA63D88CC978E3FF95,SHA256=9FA2FD44AFB14071AA2BE3509A9539D8D6D603CD0759CFA718FDDC87743F772F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:04.014{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E60A6A960A0A30F90B0E9899427F3A,SHA256=1E893E6FD6C412C97C2CAFB032A32E6CCAF0648A62BACBE5E1F59E746041ED66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.513{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45065-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.319{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.148{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3E089A828799099B1A8908D1D100E8D,SHA256=D5881064F5CF61697626DBF06021028E87329BD0AE768B5377FE9C4CCC49A577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:05.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB94D3457C59B7C1DD65593A00B5436E,SHA256=DF992057E4AC97A631D987A4E2AFA2DA530806C1A7B63186B3B6E4D22B710C61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:03.782{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56621-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:05.154{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D77EFA1B74B736215907C2BD6E7EAEF0,SHA256=F56A6DD387FF9586E1DCF979C25D547D2F1A64ACEC0D702745DC844D1FDA80C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:05.014{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1897773AB427F394BF271D6D9D1A3F,SHA256=9DE5E0B4E9A67DDACEEBC005496D51D0070192B6F1A586A4E9D16218F12DB69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:05.398{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BCA41882D5D2E92B573FBD38CF769EC,SHA256=0113610BBF4DE37DFCF7A1BE390402922A27E54EF70AF9CF7A89AE69A37C7D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.397{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:06.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727F60CFD4EF332E7C4FFACC7B613A48,SHA256=738DB5012193D58C068CCA3123AFD05B3F86D9B54BFBCCD32370211B94BC96E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:06.233{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDC25EA839D2AC75392C7F969EBC6F21,SHA256=DD7C515DFB3C482592423B9021C5A411FBF160804E11FF2B165F21EE25F9AC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:06.045{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464804E657F0C607EC11BECE780D6A23,SHA256=56AD11C198BB0C859C0F4B1BD4987F96F23B9981516E48B5B815009C10363CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:06.478{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB871E18258A308CFFF80D05F5F1D81,SHA256=CACF690A122239FD2FACB5D838FF87C1C405BA6C8C9A48684198465BA7CDFBC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.694{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58781-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.603{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-48447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.471{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.617{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:07.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD127F19BB0B1F1941FD46DCF651CE8,SHA256=19197D50C42E6F39F4228184229BF6CBC930DABC99F37F1459F0D39181E13258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:07.311{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D4BF1D0C92060317CEAD1483C3CE06,SHA256=02C8F0803A97937A31A4D6E40ADEC7683C320898D23813A39D372A5C2E151A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:07.076{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7FD266C88A764433029BF15708089F,SHA256=D137E8084CE6251D61905E859B9A92C54A7649B8BEA39F7073A0E1D25D1C618A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:07.556{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ED94581C949ACAE22394D71006E0241,SHA256=F83C8E73B84FB9C4DA2FF7102675A23A8C3671F13544ADAC6BC34DD110BCF8FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.709{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54478-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:08.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72DAAB0F321542C0B1D820B7D9A75709,SHA256=7395FEEC38A4D283AB27F3217EA998B46765435A728C14DC21E97AA09DD27747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:08.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAB67985B94511B398A32C4D32A7ACE,SHA256=382C4484CDE222B4554160E3A56D23E2F411C9E53D1C5862188B13D6AD1B34EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:08.436{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A7E409FFF309A17F2215122A0F13AF1,SHA256=EC444BF1682C7DDECFEDED64A774AFA1B3C0D45E2835EB7745E82263638B87F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:08.092{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134439E9CC6EE12FDCCCAFBFA17D782C,SHA256=CB486A333772DAFC1BFD1C6AA8FC07398F38BA7028F0BDD2511D8413F0ABAC06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:05.915{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13355-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:05.790{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.789{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:05.938{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:04.860{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4358-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:04.855{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50752-false10.0.1.12-8000- 23542300x80000000000000001540817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.821{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3288855F91C0284E3A7A79EC894ABA0,SHA256=937FB904429281D6525899A96A5FCA382B8EDAAC41962326C665C5E08248AA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07329CDB31E0A4121DDD547E6434F0E,SHA256=20F4CFB8E9B177CBA90C488F36624ED333D5330C943130571CEA093B4563E3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:09.514{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044BAAF28446975F7E2790D8D49D7FF9,SHA256=0CBE74F218A9C9A9198B082531E24F36092FBCC86EB580F32371D53C0F3E1904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:09.155{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F846C4AFC0E08456BAE9C1E81E1BEAC,SHA256=B74D5A01000763BC64A0CB69DEC9868C3E5543703B11808D24299DF38D0220A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:06.993{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:06.882{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:07.031{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-17740-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:10.900{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5853E6A6883D652FDC7515F865027118,SHA256=F1DF4F1B270462AC3E029D5FEB962D929F3FC53E0DBCA6CA1394159A53699DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:10.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2066ADEAE441A85B37A91A28E84A441D,SHA256=C9038A78E92865606166337C07B49DF75EF1DD6F18DA526F73D27800DA12ECE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:10.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C0B8F553413A46F9C4C83D81D185B2A,SHA256=3A2F9F5AB010658B1505F29412806FA1A7749289F082DCD817CC052D0A9217B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:10.170{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC6A6FB67ADC69BE788B52C8F5BA6C7,SHA256=FBC941B38B24EFA0FF2ED79A97FF27A6445B1C81280E4624666D4FE0AE03799B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:08.085{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-26492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:08.054{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13844-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:11.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E99480AF25C714544860DD1935C5CE,SHA256=BB0ECB5CBD657BB22DDE5412C7C05B3E3B1D3B8BE38B1790B08A61B5F3BBB9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:11.717{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64F56299E4EAA4EBC24BA74876B9464E,SHA256=54FC3672DCEF8911CCAE92B0297A87235F182C25636B06CD2A46C679948D693A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:11.186{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA51F51CBF68EC14223353D9B68B89D,SHA256=62B7443D6102B17B32F017155031372A1EE826FABF6CC822CEA4C3FCF5B1A70D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.227{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33571-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.135{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19222-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:09.220{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-30938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:08.142{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-24708-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:12.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9003D6F58B45A68CA79136F291CB2482,SHA256=1CED85E7D270E6B4F17E1A6A1FA4DE9769EBF0B5034BB441753FB5CC10E93493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:12.842{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85C702C355C1FA70E4606803B483EB5A,SHA256=B439CC3286B1800D61EC2B239B833D69EA4950F827F765EB6897B31E3B876B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:12.217{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34D244EC6A4EF59F19A308350DFC2CE,SHA256=21952DE29A67986CDFDD14E0BE4D72A532986A1966AE231285642E33CE70DA24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:10.314{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-37583-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:10.214{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.441{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:12.009{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=725E18B6577295F0C814C69CBB8E00D4,SHA256=A707DB2494A28D4D41D15176AC94821C6BB641887CD8B65D46C0575242B6B808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:13.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BFE74ED3D5A76624136493BCFFE5B7,SHA256=5AD0AF2D954B3E5B087F93A96096924EBE63B84A0F0926FC5240FD709B1D0066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:13.264{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFE5A81DF07F962BF742162A3251C22,SHA256=523AB6749CC88E9E89B5A4A071876EA5CD711FC46D1A4D796BEA57037C34D37C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:11.399{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-46988-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:11.359{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-31538-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:10.305{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-40275-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:13.196{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EB7F4D3417A95728BEE5E96103CEEA8,SHA256=FEC4726E2FFEC5CF5ECBE484767EEC8559B45A321C22A856A0D84458CD511564,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:10.855{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50753-false10.0.1.12-8000- 23542300x80000000000000001540837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C980B45E82AF66177E586105227569A9,SHA256=3AEBF9AAAA1EDA932F69802BFD28E4386EE69EE9DBCA5774D80D621E2DC81FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:14.874{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93F8F98EF3004A3B83EEAE32A46E77C5,SHA256=D49C65701778FEBFFDC43A48EB919C10DB581020247D94578AEB9143BB587768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:14.295{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFC959D8427087FBC906C11F2321CB8,SHA256=04A4158F46CF60B33D8B89C805959DACCDB0E991E63AC5AC0C4D33E4CB31C49B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:11.438{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-44492-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:12.554{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38158-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:12.524{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53840-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.322{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C35801CA301CEDCD4452F5FE9C3F3EB,SHA256=91A1CA14C8DFFBCF08A49FD41DE928C8DD0144536D96C9601068AEFC1FE50BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:14.014{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84D80726C18196D8F69FF267604A8D42,SHA256=795C1EB59CC389ABEA3F5941EEF06144D2F464AC1EDD1295E0C25240A255D7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:15.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADEAC4109DAC04F2EA975E54391F107,SHA256=5846526F96464F3F91949391EEB1613DB18F3F6112A8061BAA02B8D03695E609,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:13.720{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58590-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:12.565{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:15.311{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C66F55C4D13D2B064602DA66E368885,SHA256=F85B12F8FE41988BD638DD1FD5E228C811228CE3C61D744C8FC8D38E099A1740,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:13.633{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:15.400{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB92B8FE6A5C64D6DDD8589F48587D55,SHA256=B793EEDBE089DCF226205FBDD62E8993621D667FD0BE24DB1DB9272EFE6B81AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:15.092{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97D43B83A7A1AC2B7E6F56693747F534,SHA256=AD75FD1D03575B50EDCE4E80431F681C28FE95DFC4DFB9E90ACEB4145B8CBDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:16.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802BC9E4907536F43C0AEFAF62F2DC17,SHA256=72BCCE197F83D425F1704603B7E4F4AE54DA5C751E20C5D4ABD5ADB46CB004BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.519{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:13.710{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44696-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:16.327{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4682FFE07CF67785818D6C659E27AC0,SHA256=D1D33DAB10F871CA61F2593E92A53B5BB40421157300E510E3E5F90DA73F5E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:16.525{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C96A549E16BB70BC34C933D678E1CBDD,SHA256=2163CF005997FA3383A3E2729AC51D659133044E846AA95C9B7A1E1C8D71E2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:16.202{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09CC37649AF57CB40977D0FF637D33DF,SHA256=0FB9155D77325590E6878AC8EE80BE0296D82323A20C31BE1D2F1B0ADC080A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:16.139{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:17.837{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA4D7206B4B149361CB3F65195E87AA,SHA256=0DB6B77150FDB4C6D07FBC20E70A4C8E3FECB5D2C7B0A11990E50B2FBB1C8CF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:15.837{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15385-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.837{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51069-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.724{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:15.808{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50754-false10.0.1.12-8089- 354300x80000000000000001445816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:14.803{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6241-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:17.342{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C264687CA6F04A57F21DE336103B82,SHA256=4C53E03E8B7E42E143F1B8BF1DE43A9DAF505CB6D16D55289AAF9F2D415FE4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:17.603{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803398B082314A488E96A7DE0760970C,SHA256=3E706BEC7C8C28D01EB07AD2A5964C8017AB2DDD3DF5A498AF0AC66034B33C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:17.264{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FAFA151ACB87A405085831A251D957C,SHA256=505EA91270B5D959806CBADD0DD151CBC7854703B6CC369BFDB1C6D2DCF462CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:18.899{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C4F6994F820D1203A95772DC12B995,SHA256=913BF6A217D8D03E8173240C3E6DCFE17CFB2C14A8CBB5224A1B09860B1796C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:16.830{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50755-false10.0.1.12-8000- 354300x80000000000000001445820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:15.907{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:18.405{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E954C0DB460912EBF7EA5B3987D8BF3,SHA256=1309F525A233A4C1ECD3FA2C93A89E3EF6977056FF5DDAAACB2F800910321D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:18.374{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A177D637567CA71FABA9C85AED03ED,SHA256=5FFF2C05496E521D135AC88846A9A89CE6C345E978B3C262F8A12B494BD6FBBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:16.024{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57475-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:18.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31FD1C0402D620FF3D760185130B5FDB,SHA256=D59F635A0A6933C8437B06384CA0ECB254D34E09F84C58731223868A852BD9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.899{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=040371A68916FE4385272B6125FCE37F,SHA256=2AF1D009AE23A9D4289CEBE5521D7E97E6C268BB89B2254C957BEF1E6DF72343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.899{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E61FE5E2BC70D6427CDF9A2244C127A,SHA256=4278D9E9A05D175549189013B0A00B8FC284FD678DE96E522CBFA6270D7CF9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:19.483{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FB47C9E58C0DA7B6DC6362E9EFA20FE,SHA256=42213B2FFC3A92644EA4E49026CC5B9B39F3F9196992E785B322551E26DFAB8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:17.000{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-19792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:19.405{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2FFCB6DA4D9E0C7C9304AB77031D49,SHA256=F8AD7B16F0C15FBAE0E2A8F516067169292F1C6487A468A1589351778155365D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:17.117{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:16.932{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22050-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:20.993{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5493F1C8E760FDDD4087DC76AFBE980E,SHA256=0D939DAD3DA5D9BD20A0FCA51B7FF4EEDF9062973458A39FAD6E5680EE13EE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:20.900{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E966F5BFE05D98E5DD798B1A01CA2E,SHA256=2249817DBF22923249F00A7F8809A44E2B966A17B7FF8BB6ABC231B332C390D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:20.578{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F67781E270BA6022A2B74BC175FA7C2A,SHA256=65A135AAC1C12A040AF95CFEF9D17BB9244338170E50E2D20C6C6D6D5D65BA11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:18.111{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-26751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:20.437{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A742BFC55431B13CE16716855ED76DD1,SHA256=424C386760BE7BB9973097D4CA412CF6EB20413B5273F078EFFB70A0419DF0D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:18.330{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-11188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:18.088{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:20.065{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-080MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:21.931{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EEBFF79F676994DF0BE1DE7F17D26B,SHA256=224685913968E142C124770DE8F9741FC51C235963CDBDB18B1F1A3BC2201119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:21.641{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9262806F1E298C37C355DB30A02A9E7,SHA256=BB35E4FF91FEA43ADAB352E3845B423640C411C57DFCC923A38A3C0ABD4CF3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:21.467{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EABFF3CC29A9D840FC3995F3BA1761,SHA256=2845B662FCAD6BC6D5CAE1BA0CA29C612234533D08C2E9A003221D60F220785F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.415{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17235-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.228{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:19.195{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33053-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:21.079{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-081MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:22.931{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C0474EB62405209AF6F109B4329CE1,SHA256=3E447C0735F77FA8DD634BB1C5C529C1E24E33D9503EF08932FA64C9EB5691FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:20.285{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-39703-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:22.516{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20DC807E066E21EB01AE966E2DAF82F,SHA256=D965F2856CD64879EC3CEC6E08FB2EC21D0D815866A5417278AD376C833D646B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:20.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-42401-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:22.118{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3406C95F312147A62456A5018E1D20AC,SHA256=0913DC771FB991309F19B89E596341C8C41ECCA929058439230A3315F1AE362E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:23.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F08F29F3AE58389EF111CBF381E42F5,SHA256=14D81C8377167272354160092783CF8F6EB7BAAD2A7820480971DAE087C54E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:21.445{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:20.504{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23073-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:23.243{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B126FC10188F263BF503A48A91CF3FE6,SHA256=EC900EF64D2B4A9F07727A364FC306DA8F3333EC044E638AB13AEED39D15DAA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:24.610{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA94D560527C0C88D22D503DE729302,SHA256=0525DE02DA46B76E59F2AFD4B54B2B89B86D939F63EC9E60C17F11AF67E11EC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:21.635{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29498-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:24.337{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BD29F0C90314DD6500D52C9D7434274,SHA256=C450B7996BB291CA30E873C786C1567196FE10D6537EDB1C374C53D427AFF8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:24.071{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53584F7ACCB0472857EAEE841AE0D88,SHA256=B0929AEC5E08D07F8867773C94C02DC6A65A9602D895669A8AD949DAB87305FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:21.935{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50756-false10.0.1.12-8000- 23542300x80000000000000001445838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:25.610{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9388535C8EF731E3D77C00684ADDCC9D,SHA256=EEF3CFDE3896275A905AF99A25712B1AE493BB1C8B5386D3F3215EF0ED1F0B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:25.415{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0653EC7B1BE7FEC812735470D19C018F,SHA256=724B70AF5C76EA4E7E937EE787A82843640FF3528C334B29CCD7584B32F5AEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:25.196{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CF9C95E6F91371F715226498E71743,SHA256=96E362B333F2B2B655D3563D825BBAABAA9110A32D7A4FC408979EA051766918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:26.626{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B75AD3099649E0C9F70FE3A92A38C6,SHA256=C5A4AAE4F0534E6A3D530356C42E7D2B08B73951D1857D7AAB5F5B07E7449C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:26.508{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7084BC7FDC0868D6CEC2231E01EE7CD2,SHA256=76A689A671A17503265CAC2FBBAABAA8B5F00DB3297C8F3F295C2E8D6E27373E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:22.758{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35065-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:22.556{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:26.212{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2121F343D5739604FBBF02CE2BD72AE,SHA256=A737132EB3F86AAEA1EAB29F81CAA993957EEA0DA0DA219532CE4651A6D9040D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.813{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6B3AAD3A0134A760CB0AE5383EC1F5,SHA256=1968F6A6F90CF74EF2CED8AF25C5689CA5ED92772E73ABBD08035E84AF626BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:27.618{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE51A9E2535C3BE2B5143C584FEA4926,SHA256=755739C2675ADA79981D03F4B30E616DFAC99B3520E4154F3827FAD220EB87D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:23.868{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41415-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:23.650{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:27.227{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF0908EA307B6D96A7FE66B3B1905B6,SHA256=710FFF7426EFAAF2F79398D05319A73C6BC9A784D03432FB779A5A11C38604D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C1B-6154-DC02-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C1B-6154-DC02-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C1B-6154-DC02-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.517{69CF5F33-2C1B-6154-DC02-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FEA810BE40720763074F4D11BD00EB,SHA256=3689B15C8ACB8C5562D50A9303990735886D00FEB0A9D54DC2FC4C35107DA1C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:28.696{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC4421DE857A9FC431754B86472063D3,SHA256=8F8C07F74C0299AA6D4E5EC199BE36DD5FD63F7F418FB7AE9A1191998F5251B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:25.843{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-16672-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:25.550{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:24.961{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:24.741{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10310-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:28.243{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9653252C9833CEEEAD6917E671308A65,SHA256=9EF5A4D22E83FCABF1229FEB2BD66DB1FAA75447284D69FC682C207C7D4A2E81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.782{69CF5F33-2C1C-6154-DD02-00000000FE01}36403028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A80CA89BE8C0BB9995709D5EE2797F37,SHA256=17FD3A50F6D9EFFE04A206E15D6A7EDF6E9EE2BFFE5E2A5887D5986C0890B4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59D23222094FDB80EE7319E60A6F8E03,SHA256=C8B77117A4926DA808DEEF2ED89637829D6E344AF3C3DB68B382B463824AC352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C1C-6154-DD02-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C1C-6154-DD02-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C1C-6154-DD02-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-2C1C-6154-DD02-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.860{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DF28AD754AFFC636C1C9A47B36E855,SHA256=F513EC35B153B6D08B5B6FFFF69C97FD7D30EB83EE37909358DD4F73657992FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:29.790{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A14BDF6AE145B552939B3D6B22A727ED,SHA256=C3D3B7857F98A50B5899A53B7F55FCA31C4B1A6F736D39FFEE9B42E0C16DE92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:29.258{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63C4AEEC0841A7D6073CBF6FD64A0A7,SHA256=AC8A700355669DF414E12C967C5AFF1CEF06983E150490A005662024D6B7BF25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C1D-6154-DE02-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C1D-6154-DE02-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C1D-6154-DE02-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.689{69CF5F33-2C1D-6154-DE02-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001445871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.919{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50757-false10.0.1.12-8000- 354300x80000000000000001540891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:26.930{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-23418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:26.128{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53585-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:30.891{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FD39A6D04AEC011A694C191C84D3BA,SHA256=C814752C7DEF70CED6429B8E4FD2551F280779AE1379483C2233E9C24DA46945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:30.868{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08DEE3F2F8DA0068ABB52225DB8D1ECB,SHA256=144AC5E22551C9810F056E21D3C3F826F1003D568808341EBB6EE5FBEA7CBD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:30.258{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0830DA9FA6D32D742D55E3CA8CEE81,SHA256=F84EEBFDB954204696923C89DC0AB4E49FE8361B6F9CE183A1F2BBD1DC5B9942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:30.735{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A80CA89BE8C0BB9995709D5EE2797F37,SHA256=17FD3A50F6D9EFFE04A206E15D6A7EDF6E9EE2BFFE5E2A5887D5986C0890B4DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:28.018{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:27.269{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59700-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:31.891{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBC9B58C620488D277556C1439B26F1,SHA256=F15D4932635C90FE8DF0BE7EA10CC4B392C886E09F1FAD9306ADA34128F0260D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:31.274{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D6F79A5D221D3C6CEA50671B0787A1,SHA256=AC1E19880E79CB9186E7F582CE4A97344615E3292F88D693797F3A693612A66F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:29.102{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:28.391{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7269-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:32.907{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB34061B633B7EFE234B859C135DAE6,SHA256=59BEABD6967B2F2C5F7B6A22D3720F10703A663628E12B32521EE80BFF25F1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.368{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C98FC401C6FD1233B1F33BD45B59ADD,SHA256=AB8DE13709658B4039C8E64383EEB04AA77C29C30797C969F80F527D11872BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:30.239{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43441-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:29.602{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13995-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.008{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B61CEF69BF9591407A643582630DC389,SHA256=982BE98729EBF039C460A5F2C10925B2F38A15C1EC0965C34760638001D15D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:33.938{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CA6EF142CE398A547825D674BA3417,SHA256=F40D6802313F9058B9C391B00F4B8E96712C98C2D819CC2015A013CB927477A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.805{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0585758676D713B8298BC5A11112F2A5,SHA256=ACC6D59853775492B75F75D40865640A6252CDB7067C8110DA72AF05D2EC49E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.368{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E5B957B6BE5A0C5880469A726A08BA,SHA256=7D079D3FE9D80D50B76D026007B314830960026274A9E68B227700A50C2C9443,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:31.320{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49937-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:30.733{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.087{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC84204BBEFB6982CF7C222BF73ACBDE,SHA256=405017E44B6B66BEAD91C76964E4BB6EE08EACDB89FD487AADB28D556A8D51A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:34.954{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CEFCE6688377338408938E6A02ADFC,SHA256=FDD58EF6572829185192364426F9FA7B5BBCCFF03D3B1C44F741381A3A570EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:34.399{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562E4D3A05702972C51644FCC0A88455,SHA256=615AC240A4FF82FD326F2141B4F5128EB7367CEC1A0BA7166AB5DC20D6BA0A32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.147{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27285-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:31.379{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.386{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34419-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.352{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34290-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.330{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34167-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.308{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.272{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.215{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2499-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.193{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.171{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2237-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.148{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.107{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1675-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.052{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1444-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.016{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1253-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.980{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1112-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.957{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59866-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.924{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.888{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.850{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59272-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.828{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.805{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58807-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.753{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.730{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.708{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58254-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.665{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58010-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.631{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.610{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57619-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.572{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57351-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.535{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57228-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.514{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57103-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.492{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.470{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.433{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56442-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.399{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56282-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:35.415{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6018D1F7C2B184D6ADCB5E63EBB1BE96,SHA256=CFF36C98D1541825AE6DAA79D01AF39B6D12219B8B5DF118DD3E71D4043FDBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:33.794{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50758-false10.0.1.12-8000- 23542300x80000000000000001540951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:36.930{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45052E4CC74B7FBC0465DF186F9B4D86,SHA256=9402436BE2CE2BF5507FF5798610FECF8938C0CA034C40C9B32E3F1FF3C0C5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.498{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.464{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34856-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.429{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.407{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34589-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:36.032{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E513842C6D758FC1355A9C6AC8D902,SHA256=5C56270106BD38821BFCD9A5E9B725D3AF5CFBE3597C1E1AD1F56B53422E3879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:37.524{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDDF5BA2C05820D9A18E26B57AB578A,SHA256=DEA2D1A7194635C87D1B746813C2BD87308C4B34164EEFB92324731423CD5044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:37.079{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164279C79B09EBCC4A1B71B8BE1EA949,SHA256=CA1BB16F05AE890A27AD9B0DBBDACC5563B995E50D150A020AE78A419F925798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:38.524{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092855AAFB45CCD01D323A2A6E7994A2,SHA256=F986B15D0C96DB59615E8286F879A17A8A147C844D8FD47160B4D273AEF201FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:38.095{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21BA877A5BCEAC71D645BE7184DAF23,SHA256=124893011E84A5EE914AE06ED053CC960C06149295D02FF24621A7E0D56C8DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:39.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC26411C7C5E7DBEC9407B36E01DCDD8,SHA256=F35BE5BEE4C3CC53081218746EB0C103D6A74B69BE731EAE4830AB3788ADCBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.095{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BD9927D33BFBDE096339601EAC62BF,SHA256=685A9448893324C37B23C54659B1970EE99A29A70D17A6C2EA5C36C88C397394,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:36.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:40.587{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0967D67D2C2541EC379171B88D5D15D6,SHA256=30AE1ECED233976AF326D33C0B0A994DE02A1AE58F94E3D7EEB92489F1273A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:40.110{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A946B05F228EA948432CF47A6C997A54,SHA256=B2AC2546581307D6C994C1D2CC0F6A7B4E8B44DFA8253FD51393C27BE9645BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:37.935{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-7546-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:37.850{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-6271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:41.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8BA4E3AF9BEBCF64C9653F0A7193E2,SHA256=9DEEC113F5142CB0E4443F36B81634C0CEC4B9D09BEA327C7DBF41CBE54D0B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:41.236{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3682EE4361ED3E129520ED015FBF2730,SHA256=3CEEC5014AD8AFC167ED79786EF2F83BEC71479E9D4F9259C6AAB87DB28352BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:41.236{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6F644F45A8BD84C5BD74188041DEB0F,SHA256=8A5CD63FCFFC2BF544243E67CFED0BEFC2280E672A09EDDBC23ECCBE6D1837C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:41.126{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FAB6499B425AB370AD159199D3C9D4,SHA256=D91F14EB8923D12ACF38F348263FC54A77B50A6A23776D1748D6099B19A8D1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:42.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B7D691B0C0F24DD66CE693E0BD0627,SHA256=51DEE8DABFC37E4D32142FF3FEB14BD05256EEE3407FFC94E4F8E60B26CB052B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.892{69CF5F33-2C2A-6154-DF02-00000000FE01}40042356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C2A-6154-DF02-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2C2A-6154-DF02-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C2A-6154-DF02-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-2C2A-6154-DF02-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.392{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3682EE4361ED3E129520ED015FBF2730,SHA256=3CEEC5014AD8AFC167ED79786EF2F83BEC71479E9D4F9259C6AAB87DB28352BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.142{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BF3C6C188F38B7AD6DB6E6A83DCC15,SHA256=ACA9C3CE1A052E86778D2E3199D4F83808898970AA228B6C4C5CF8338CE2234B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:39.474{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54250760-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001445902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.832{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8749-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.825{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50759-false10.0.1.12-8000- 23542300x80000000000000001540962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:43.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA7A2ABFE9F0E04F9A1B399810E469F,SHA256=5D3BD3A9D03DB83DF519D2A84A805A43D649A3CBC75E08F3B6F9536075A796B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.595{69CF5F33-2C2B-6154-E002-00000000FE01}40883444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.517{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F8083240EE959D30C1F24843A710DA,SHA256=A8F2C9CB23675224D89B81EB346C396CC777CD95B957881F9FBDF56325DAE9E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C2B-6154-E002-00000000FE01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C2B-6154-E002-00000000FE01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C2B-6154-E002-00000000FE01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.408{69CF5F33-2C2B-6154-E002-00000000FE01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.173{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990D8D70D2102291F637D9CCCDEF4694,SHA256=E9B79887F36F41B6FAAF36A9D60B623B4881526FC1B04DC6D55E4ED0E77A33B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:40.943{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14928-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.912{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50760-false10.0.1.14-49672- 354300x80000000000000001445919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.856{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8876-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:44.774{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDAB02120C36A7331A08D9D4149C05D,SHA256=9051A8647F02C0E6604D77A965F4FD32E1A010248CEC6710E26029078C33E753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C2C-6154-E202-00000000FE01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D66A6B638B2EC4F1789AB034B73670D,SHA256=C54F1511661DD35FCA798D22C269B10F1AEC3AF2CB4F30113FE42734200EB7F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C2C-6154-E202-00000000FE01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C2C-6154-E202-00000000FE01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.691{69CF5F33-2C2C-6154-E202-00000000FE01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D485F200D8F7E4B227566CDBBEEB7D7,SHA256=0E5632F85923E2C9A0FA5A2D560D20A81F4529BC4AD0F9425CBBE8E2B6D6D831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.251{69CF5F33-2C2C-6154-E102-00000000FE01}32803700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001445951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.110{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001445950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C2C-6154-E102-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C2C-6154-E102-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C2C-6154-E102-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.080{69CF5F33-2C2C-6154-E102-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:45.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2FAD08E7DA66CBEBC113770950E86E,SHA256=AC77C008D150AF47659FD46224A568540B855D2F261C76B80DBBC3BCF927DEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:45.673{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41A32909C5CA1FD1B36F38CA8719ABFD,SHA256=57C0BD581ABE3FE56D9B0993A0B4159715F3429E4CD64D5477A14F1ACE3E2AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:45.361{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF61BEE7A417C3323606DCEEC3E3B87,SHA256=6B249134CDB6F8DC93C44C50E51323B5F45B746BE98A5BE5AB1B89ECFCC46488,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:42.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001445968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.220{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27002-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:46.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C442ACD6BD3CDA7DD9F3E3166BADF377,SHA256=85F7CB5105BD7EA1E674456E8FFF03E383BC2802BE68591AF3F58355A84749AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:46.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6759AFAD0FF2819224EA4CA43808C2,SHA256=493DD9C38A4CED3ECBA50C066C4B17A1147A0162F0141281F708C95C21C03319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:46.376{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E917F5C3811AD5E813E53F27CA1A64,SHA256=059DF776D179594C9F6376EEB9A039DCD0ADFC9E1D3DE5D0C84586B95AD89355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:46.038{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.299{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:47.819{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925A7B1C4444044F113FF33924556D20,SHA256=A2F02761DFEBCD8CC0C4FB09CBF3159C53CA8197F2E4EEBA73B23A5C82181626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:47.393{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D861C247AABB7808DB58D62821576884,SHA256=302533FB10765515B3897278E9A5C9DB350B72B12B7B2E86798C6F7A2D76ACFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:45.315{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001445975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:45.778{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50761-false10.0.1.12-8000- 354300x80000000000000001445974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:45.426{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:48.834{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624A84731CA290C2C7CF6AC969AD97B8,SHA256=5E884CA87344FFD6763E37B7B4B8109A97023901B0AC4A6E83AF9617506E3FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:48.470{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8501887335F12F4A3FC7FA3E194ABEC,SHA256=6A44234943C1BB3FF4C223D95A76F736A97A72F3FD54D44F700353635DF0D300,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:46.592{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45350-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:48.001{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DEDA104EED904811ED38AEBEDDD2AF5,SHA256=DEEF8CD3FD561D029FD0616545C2E9305DEF24FD7F34FDD6F8E7489FDD52E3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:49.850{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59CE4C122BA4DDE017C81D011D05589,SHA256=4596E044280F15675A3F910800B333137BBA86B63DC3A1EC5DBA99BE17AB3296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:49.470{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4DCE7289229B878407B015F31A2CE2,SHA256=474452E6E97D2293E9B61D4297FF30340DBAE4D67D68D91F55D803D4FE99A9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:49.080{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFC0B36E39BFAE6ECF692B3D0F3E1363,SHA256=7D0BBC553B89D77F5B3C05D5047E1913A5D9CA3392AE58E1A7C1F0E94FD270B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:50.851{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333C51148DF8DDBC0DCE55E65B73EE4A,SHA256=F5E28A14A6C8990F4A736C2F1792A153B714D0C8EEBD9FF918EA8FE8F9808002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:50.486{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7522EF6AD8EDD5AACDA6DBC0CF8058E4,SHA256=24450D93ADE1D274379B1DC680B2A9E1397B1469ACEDCD9C2BC8B02FE0EB61A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:47.705{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:48.394{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001445982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:50.173{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F71BEEFCD0E12B424A806C217789EC,SHA256=2B4C83A080CF0A03DD956C76D6BA276D482F332CC2D8372547E07F7984326265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:51.866{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863FF8C31D771DF8925162290CD9D160,SHA256=F00E4FDF5178F90E5D9BCB54B33CC8A8B0F8C8FE3B662456C310B2D9C4E561AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:51.486{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C3062BD9E2768DA5B4CA88A661A893,SHA256=63F95AE6435254AE9605F6F0BD501676D023C1AF497187F2282C5640E43A0AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:51.010{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-080MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:49.876{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4712-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:48.784{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57827-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:51.251{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F75685527D600F803F9D2B567AC53B,SHA256=B0F1472FA8A7B885FE9902DEEC3A19A0BD3D4FFB094500B5E3E261A29C73184F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:52.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3346511C8182639A6DF7818077584EDC,SHA256=B8092F41E07BA4903AB0C5EA409D430002417723714F69A77859D2D63A59CE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:52.502{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090649A3F0E4C60B8F61E04EA6017A78,SHA256=03AD3E8F2F2984AF985196FE6F8604432B98B8CB4ADBB0283A61DFE0D1D9DA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:52.024{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-081MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:52.377{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93EEED050342674C675D87DD2A7CD778,SHA256=CEF2E96EE09B3AEE433E10976E57CFB036B7A86ACEF8E46B3C188C995B043B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:53.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74F72B87D644603E6D3B41639D1AED2,SHA256=0AD32DE2E32EDB8C19EA64A93497E81CCFE174D2B8A2262FA92B27603CBCA7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:53.517{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCFA59526E8DE4382792CC9FC2D5580,SHA256=EA78857EBE512128375CA02304FDF6B15441E039CAF871043E04B1AC623E3B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:53.455{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D2A59AF054A2C8D2C2D8AEBBC3CB15,SHA256=321AE11DBFC3D6EB215477153D2F7C83348C647201BB8D1E2BA5D0FBCF5BB59A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:51.732{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50762-false10.0.1.12-8000- 354300x80000000000000001445991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:50.970{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-10540-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:54.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001CC946AD46CFB569B4369A1E75B2F9,SHA256=DA2728F860E62836435B5A9A26033B75B75E28647038DB5F7DA3308546706D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:54.564{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7993A034A2F6848333D3054815239944,SHA256=B7A1798242C6FFA1EAB015DD529710867C9585CE4A93552135FC79AAD7D9EC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:54.533{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03B61C9BADF15D896939EF4C32F964AA,SHA256=6B9EC4B566BDA3EE0B8030BB2138BD6F5A59AAF2A860AA91DF12BD30A504313B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:52.080{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-16347-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:55.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5A07B5532D6CA3FA81091EBC97360B,SHA256=129196C79CE3406A13367B685EF611B876F57581EBFF076BF874A69C29D535A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:55.814{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D7BEC8ADAFE5536487B6F47D5B30B8A,SHA256=4235D1D42E3C26DAB2E5A8DCBBD5BE271759B329F99AB8E29FF6133C23D76270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:55.564{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77E8BE186F4416BAD93985BFC117C6E,SHA256=BEDBC5D504F50643D221F461B21DC17AB4E6232E86C9B8BDCEAB41E3051A5B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:53.158{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-22167-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:56.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6702DD28DC509C724943BF0B550A15CC,SHA256=94B055298EE650E5868D7E337C66AFEAD76B6C28CD7CEB1D7E3031FD77353F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:56.892{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=049A07D3942AF6E8B26C2A14665AA067,SHA256=DCE286342D27712A696DC354EBB4795B6C9F6BE2D90F358B5D11EC42D9D59314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:56.611{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82544777C96150DF7EA3358D85309177,SHA256=80E855A7FFBF3496033D25F137FA046F2AC60844F0727B703F5B819E053C0630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B5858D10E63E737B1F1C750588C76B,SHA256=697882A86B2A2FD93E1DEB492F3659A6960F1089F568EAA2CB2FDDB529032067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:57.970{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B01C87AE8F2EEB6027A39C5EEAB6C8D,SHA256=033826A8A14730E089E7439069E9A036CE4D00C64510325EEE30C79E277D5741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:57.627{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1988F8EE2DE5AC287FB30776EB1859,SHA256=7BCDEBCD64C4BE3F24A69A4A0ED313276F08EF13A5401D541CAB0E80E535D08B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C39-6154-1603-00000000FE01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C39-6154-1603-00000000FE01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C39-6154-1603-00000000FE01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.634{5EBD8912-2C39-6154-1603-00000000FE01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:54.410{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001446004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:55.517{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:54.248{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-28216-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC75AADEF74FA0BBDC1954A8918D6DB8,SHA256=FF2E238418EE73B53C94C69DA0FED2B9BA33A9CB71F3E927D7718EA72CE1B612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:58.642{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D978157AFA894EA17F886F72B71B14,SHA256=B92D8B65C88AE050606E7C46FEB2EE5C11E50FEAA84ED3A8E22BA9E736F86DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3A-6154-1803-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C3A-6154-1803-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3A-6154-1803-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.821{5EBD8912-2C3A-6154-1803-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.711{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F757CA3A48FCF021866CD0ADAB3B91,SHA256=CE5BB6DD610F299AB1A5FD13B18FF3EEF77F4E2E179D4AC3185CD9994372C27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.711{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5AEC81B7B7ACA38066F06C419C3CC8B,SHA256=21DFE9D3ACD77AECD9ADA56E93A7837A8EE12C7186121628EF3E6124A61CE5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.336{5EBD8912-2C3A-6154-1703-00000000FE01}37602160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3A-6154-1703-00000000FE01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C3A-6154-1703-00000000FE01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3A-6154-1703-00000000FE01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.149{5EBD8912-2C3A-6154-1703-00000000FE01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:56.934{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50763-false10.0.1.12-8000- 354300x80000000000000001446007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:56.595{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41299-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:59.898{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12309023AEED5C3DAB5C5B308491C6E,SHA256=96D4B9413C59C6042D46235E194FD2E78FD3EEF08EE23812A6DC1D5944AED2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:59.658{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECE8349EFF14CFF52EFF5B52AFB9BC0,SHA256=3D5DDD664ACD4B2A8FD7783785C39F3F5C12E1B135655168AE68E0001CF5155E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:59.820{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F757CA3A48FCF021866CD0ADAB3B91,SHA256=CE5BB6DD610F299AB1A5FD13B18FF3EEF77F4E2E179D4AC3185CD9994372C27C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:57.673{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47280-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:59.111{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17570CD1302A7059453A71A62CC3BB09,SHA256=D0DA822E0EBFF698F655F9818CEF8DE8F8492929178243EF1EA0762B35489D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:00.914{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE20DA2CB46B950C8A7DA6245EF8CCFC,SHA256=C9F9886CF67730917838A7F2D847D6736A55C14132ED4DED1EB3313503C350FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:00.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FA3A40C34FD26FF46D370A8137C9AC,SHA256=47B4FE5575529C625B7ADD6BF6993E09158E76988FF7FB5D1AE4F4A3E38EA00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:00.174{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38BCD2BAF90CA8661D3960FD86FD1531,SHA256=4ACDBC9E6818B47717E598CE5258C5B0FCA4CBB6F6D613DFC5F8021FDD0F43E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.930{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F19B784CE2CF844EF618FBEBEAFED11,SHA256=98592DD6BD38781FD2133096C5CCB0C234B384219BB67722F5656D4C6A795124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:01.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078680EB922272A26A0A458DD09ED1E0,SHA256=FD822F36E88BFA8E91431D8200AE4F73AB7E3811A4715DD2A95D4C0C181C5A16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.727{5EBD8912-2C3D-6154-1903-00000000FE01}59763868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3D-6154-1903-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C3D-6154-1903-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3D-6154-1903-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.524{5EBD8912-2C3D-6154-1903-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.055{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC77AE6A38D6C1FC086BF3125F6FBC5,SHA256=960FE61D108749BA83A0974C1A6E2AD998E60DE6A1DC2C610B7EFD6AE4F306E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:59.893{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1127-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:58.814{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53720-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:01.252{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F20B7745EC00402F843BF9B677EB4261,SHA256=2AB1B5FE10EE6EE3FF8E8034BDFEB1B52791BE32254912A7AE9BE71F2BE1F673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.961{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0123C83FE468FC47B2A65D4DA124E90F,SHA256=3ADE5719F2E87A50199B51DF033CEFC4AA6603FD9804A82DEBDD31B34EAE960A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:02.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CF5E58FAE12FED86833BA668091B85,SHA256=FB491C7D3C373460E720DF09D03188F7AB3CA6BC96A8A356A6BCBD72AE083678,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3E-6154-1B03-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C3E-6154-1B03-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3E-6154-1B03-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.884{5EBD8912-2C3E-6154-1B03-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001541037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.680{5EBD8912-2C3E-6154-1A03-00000000FE01}45842360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550C22437585DC90AF5D263AA12528DE,SHA256=7544C3C65ED8CA51D9E8DC9B25B3BDEADB963D3625D25457F8A66E2B3F61985B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3E-6154-1A03-00000000FE01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C3E-6154-1A03-00000000FE01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3E-6154-1A03-00000000FE01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.337{5EBD8912-2C3E-6154-1A03-00000000FE01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:59.332{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65116-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001541026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:59.332{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65116-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001446019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:02.486{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F2B112935FCB3982BBE54C0F5D190E8,SHA256=C958FD9034CABBF33F971CCCB41423CFEC53B5FE133949AFA0DE318F95249767,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:02.203{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13480-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:01.037{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:03.690{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D335446DFB17A5BC1D487512EA871219,SHA256=DCCA675C4AE275364F253131AFF0AE93EAA5DE27D0C1F26613E5D631932FBA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:03.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94EAF7813C5EFBAF7E887A4A083595D7,SHA256=752AF63CBECAE413B3F8E972F9B1DA24172CB27AAA410C5ADE962D01DE01F5B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:00.442{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001541047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:03.117{5EBD8912-2C3E-6154-1B03-00000000FE01}1716428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:03.611{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4C0B487A166C573A4B1C86F01AA7082,SHA256=0F77CF8A3FF7787C7A96063256BCAADFE9485BF86C38A3C1BD3B87238A004302,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:02.856{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50764-false10.0.1.12-8000- 23542300x80000000000000001446026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:04.752{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=166B27E69688769F16D068D62E8C922C,SHA256=1CFF74FDD8C2A61FD28764438A379289E3090579540F145B08F44D8AFAC3BEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:04.721{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747C79241527B3FD59A24779FA1ED2DA,SHA256=9CD2EA8F2E5FE1FDF2C2B3709378D839C9CED8DF34D7BDF7F6539873B36EAD72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C40-6154-1C03-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C40-6154-1C03-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C40-6154-1C03-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.649{5EBD8912-2C40-6154-1C03-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6C40A2A94E392554FC38C246D21459,SHA256=9C12CC55B1022D10E3E4BEE6F6ABE32A62A59A1BEC3ECF5AD08FC382FA183620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:05.877{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9888862FF4F7BDC6D98985ECD34C210,SHA256=CB9A01DDF5743749F1DE492ECB7F8D5A48BD61E1C5CC76F9DE2573951BF74257,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:03.338{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19982-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:05.736{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9747353D2EC2DD7898ED6474C238E875,SHA256=233083EAD212A0B164E5A8DA7CC359C7B30A6B385724A0C3866888034858CBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:05.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F53E1F71F45B67F6B768A371A8D98F81,SHA256=BE2A613C623A6D203DFE92C27FFCDC749C8CA1EC838A604F38FC2A9D63816CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:05.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798D48887AF40AD315B7AE1910F8BF2D,SHA256=631CD19B5DE268033B39CB25B7FF1773D68EA0BD568926ACC293D6664F8EAE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:06.955{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C148AF29442DF2217C89832521248538,SHA256=787A4D3FCD3EA4D1D4753214777C38D620B7F7CA27434FB6542319375CF179A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:04.470{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26299-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:06.768{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D3D4EF81DD49563F6F8EDE85DCF5D6,SHA256=8C0D124DEB86E54E9DE1D38554DEB2001FE0CE8B0F857C9CF4B186D098F7FC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:06.288{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F434C537E93308476D4C2B58B1694F,SHA256=85532B901AFCE19431B1A5F62D71384EE43DC970026394530A6210B2A6373CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:07.783{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F465FFBF85FE13F8FE2E5C21C7F5B2A1,SHA256=5A175F975001DA63D450E6427A280240FC8B7EFC36DCBFE21AD0C7990017D334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:07.413{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033346CDED82F70D4D7526828F8AC825,SHA256=8945AA9028649D2F990CDE22F349964670BCE573EB4FAC59A02B900306294681,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:05.581{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-31920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:08.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CEFB3D52D2BEF425971BE6A32069BC,SHA256=925130371F999468066EA721DF0F560F9ABE943257259E42224C72F53C0A1A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:08.799{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA91E1F7C16E25B9D664D94FB518C844,SHA256=42479DE981FDFBA7B7A52A47E6DA3B55FEE46941F0803347402A9D47E48276DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:06.658{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38259-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:08.033{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB7B427A5B18C28FE0569242157001EC,SHA256=2DC4E5969258FF1F536E7E52FED4241D8088EC1A7909E847E5EAF5C15DE9DB92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:06.394{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001446041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:09.830{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9163ABCB9A5C1F83120C059D2BFE5EE2,SHA256=F774BF2E338A49C331709F9110F81836BD02FF2D17BD89BA20EAD567E15DD66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:09.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370DB29ECB9E0C08DE6FD18354A7E5D6,SHA256=00977426B233294C81BE90B6947C4AD9AC5C348E18262E30AEAB2A60CA1F3737,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:07.751{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44179-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:09.315{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F785E0A511CB87D7F84626375CE20171,SHA256=6B310B129DFDECF27E717FE3452F0209E297123397BBC856BC38C9C012C13402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:10.846{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A4E5240472588BE8EC889518F5B0F1,SHA256=62AC258968218AF7FF2BC61438CF58AB579B3481C15AA949634CFA928695E5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:10.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA45F427DEB5F14B39531F854EE95C71,SHA256=D9F8EB2C73B901661C79FC9570C6EAFB66FA50DC4322569308DCB60048CDB898,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:09.046{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-50898-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:08.857{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50765-false10.0.1.12-8000- 23542300x80000000000000001446042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:10.440{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=117FA6A4BC5129B32B71D301AB556A70,SHA256=C70DD23428281B46F16619EC858962832752763892C6ED25915158B8D80A6BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:11.846{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE0E5818E92DB1E8E8DF22932E8D129,SHA256=BB2D24ABD8D6EC2DDDCB516B8A6757DABEBFAFAF50E0A50A439AEDBC5384FCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:11.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D96CB58F6E66B73849237E7A2510C6,SHA256=F779C7CFE96386A97F60CCEB1F7EDF86B4C54265D9D54B818E5999C12E470F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:11.518{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5400C16198ED62A461265382A45ED1FF,SHA256=445B0188670C8A816C9CBA9A4F125F7A58AACE5DA3DCB6369CC58EF3F654DFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:12.862{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A891981036C5C6A9877A61E9AA69D6CE,SHA256=48AC9680E9877372045212A7F3F5B9F04D8D57EC2F54B365EA4215C97A3253FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:12.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1130BC455BC02ED0DD89BFB9941F51D,SHA256=ACF161B4BFB3586B80C5CFFBE07F2165BF04B842DB8EF6B89F210A366694116F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:11.223{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:10.142{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57176-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:12.627{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C33DE8306C13103B08BC7B0B40F842F,SHA256=D25CE73951FCF2F129D11DAE28C3C7DC5CEE7CC838A3E0B6CFC9F5B0F82EEE45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:12.330{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-9778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:13.877{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC41ADC4C6DFD7966D483B7EC5BF048,SHA256=7339F65A3967EC4B1F87959DB1B5216C7B4E117D3ADC87323E10AB323E20D258,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:11.488{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:13.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F60E8AA405B35EC2AFB0DF67AD03D9,SHA256=155C0BBB43290103EFEAA218436500FA4B9BD77D6E0008D7BCC953BC588EFF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:13.705{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A13D468DB4A8221CDCDAD3B435F867,SHA256=A0A26E5F809353B34708840A9F90AE85F342D10731DF1DE5B17C82FE9BC80A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:14.940{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2278AF19546CD81DB101B4D858D973,SHA256=17BC020C8DBC3F884C35FF11C50792146C82F9E06387A226E2DC95C310F90688,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:13.408{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15808-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001541078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B3E75FA98F7C6B0139E8E5FAE12352,SHA256=660A708130DEC58C1BFFD956488E9339636658BBC861A9B4B6A28F44A6D0E0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:14.877{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A6DA767C10BEF2082C157F5D7C1D5D3E,SHA256=BBFCFC7D5BC339B0E4B02ADACE54C860B4C85BACF55806570B4C31BE35A6A17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:14.784{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C9EC1835FED7268EFCD5D37488CBFC3,SHA256=FDF4E3CE62D0C251F922743603F5F3D4F411DA7142102026DA1CB27419C9C5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:15.955{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13ACF21BDB876B6FF52D4D1A62158A2,SHA256=48A92B6BA4106EB663F072750791F0DA8B9D993AD1D53BBC2EDB9C2680AB2DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:15.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D884E9D7862705FBD25302BB459E2B55,SHA256=06EF36E6CB75C2AB24300E729A7E4D1E1861607F8DACFA0105633F595287E228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:15.877{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E05A9033EE52FE036E4736E0E7E580F8,SHA256=1D03C3F9436504EE88734CC6F3DCBCED7B7F6E87C28621BB16000B2D812F9B5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:16.710{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:16.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B573545E68F0BE012569D07BA543E78,SHA256=A6E96C8332D464F1B72BD846C3120E88EAB7E8C24652D60B2195A569DCBF9559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:16.956{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB68AE6C23FA41F3750BB5B601AB28FB,SHA256=93B781EE42BE9D928F1C1EDE409A2FB91D59D23F86A3E03D68D8584376FC6C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:16.143{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:16.429{5EBD8912-18AC-6154-1400-00000000FE01}9481636C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.944{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BD60850588C79BE0F8BDA630C173F7,SHA256=6A52AE58C2A9C215E871F59EDA9A006542E832FA17BC215C18DCB2C904010290,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:14.486{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21838-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:13.888{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50766-false10.0.1.12-8000- 23542300x80000000000000001446063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:17.002{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE746DA6BBB7CF888E8009128D030F6,SHA256=486E922840DD4D9D5D63437CCC78EF4B98716E5628EC5B253B4D22A47CE7A269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:18.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65816294970B200710670D855D8FFFB2,SHA256=053F437846487DC82A81488B0325071633654672BE9C5F4B6254C5B62B74A894,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:15.825{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50767-false10.0.1.12-8089- 354300x80000000000000001446068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:15.579{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:18.018{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2AB260FA5ED6C9FFFC4567FEB745080,SHA256=8FF19B8802DBD75774CCAAF43F5A73C17575561C80DED45CD3E504DAF9A2571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:18.002{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB713161C42732F416396CE83C79CAC,SHA256=0602375963BB3ACF943B01F02A9CC871880D922642D3ECA8E9A0A112CB55BF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:19.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054A6D62E3C29BE7FD311F8E97A212A2,SHA256=35996F4AFF66284B9FFA3EFD2176C40FAA35A5614374FFCC9D94482761A8190B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:16.657{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:19.112{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EB7F4F0AF129F3357C91B784DEA7344,SHA256=397677BA69E5CE4A537AA559DFA4777C3CD33A80CC533401EEE6F169D0255478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:19.018{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A59E9D5C986FBC324B27BC5A6DC1B9C,SHA256=1C5304DA46CDE355175C919E47B51ABE414776DA53113C11F9417506ACED54F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.425{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:20.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21865A845DCD69707E146E58DEF1967D,SHA256=69BBFEF25B943548A85FDA6208BA459731EB732E40EEB4B0846503318E61DBBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:20.190{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D13F0AE4CDF167CBCDF45731ED8392E0,SHA256=7D203F4401C1D3CEFF598DE9F529B988E7B4595D6B78D26E133EF4B51885167C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:17.735{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39364-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:20.018{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029904CD7A9C03E5B7EF770EE1879854,SHA256=510D57F4CD8ABAEB1AEF916774D703A2CBC53D33D4CD65FF64CD5D5F54ED53FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:21.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76594CC87D28E052510F55E2D38C658,SHA256=A091243512AE81B3033602B4D3C796A7281E40F0203C2F0D2FF84098098B34E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:21.602{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-081MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:21.349{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EB84596F414CCA038304B279CF4EDA8,SHA256=269E608082867D6856A0F858C139418736360BC150F79CAFA62CBB6E45D7BBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:21.034{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30376903B2097FF1D02A609F7C76CAB9,SHA256=6CFBD45144C63B45B16CC81BF2D6666847463681AC0EF3283780CDB4F3A57CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:22.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C5FE1DADF745AE6B3FA915925D3FEC,SHA256=57FCDA2548C5570C7446C0170CFBA675C704F5E184D26806D2FE0110EF54EB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:22.604{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-082MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:22.477{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F4FF2E1F2A324ED126A2D0DABD17E90,SHA256=B0BC75BF865566557AC220E1C1E5918BF631FCCF595D294A24F51F1DE162E0F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:19.925{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-50831-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:19.715{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50768-false10.0.1.12-8000- 354300x80000000000000001446080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:18.815{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:22.040{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAC1F5B668816C312B1C4F53BAC3474,SHA256=4782B7A17E0E1E5A0C799FA7C7B967F472B746811064D4BE7F6466524E0157A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:23.507{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE2ECF0C0AD87166D12F990A98F0D2B,SHA256=89863C051AB2E783BC4E088536F16340740FAC09EE95284380642AA13E24CB67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:23.556{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FDAFCAA43D43B7F0A6763031CC7DE0,SHA256=9D25A8DB664362A6D9A8FE547CB0259FBAC5E7741D348F3FA60AB8B3BEA2D7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:21.067{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:23.053{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962CB70D0E187473FDBD8F780887E2A2,SHA256=63A1BDC8BB0BAF51ADC92B40BB8F89B666B97BFAD5943F3D3F4A5BF4F352EBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:24.523{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C69D7EFCF9AE5835B3110397177FA5,SHA256=1E39E81B60687C419F2993B4FC8659AC2B527A42383DF025EFB6D27F3590E58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:24.634{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E71765218F7D0E0C5A6E69C67A6198,SHA256=FBB5526A01A9DDCAF0FE58C12304C0A022DB4F2FD65C4AFC700C2BECAF8B2A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:22.179{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4268-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:24.056{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119ABDBBBA7F8CC3A0CE5158E7CD5C04,SHA256=ED13D96EDAD655DDCCCFDB459756DBFE94F34B63538B44F4ACEAA2499C0C12AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:25.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBADF50B78CF8806D708D6AD79CD953,SHA256=4361CAB75C39A429320B794CBCC00FC1947BB0420ABE40171152395A60080C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:25.712{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE53B0FE05F539ECFF0CD88E58C19CC,SHA256=78E16D3D888DBC28A9CF7D08466242B8D0D2FEE4E4A0FBB9413906311335F0D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:23.258{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-10099-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:25.072{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153D08DD7A74EEADA45F29B198D3EB51,SHA256=78690EAFC75B96FE25A8A8ED31B0E568DE5D5650B656E9CCA763A55884835618,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:23.394{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:26.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95768131832E1A633DC63ECC986E53AA,SHA256=AC66FF2D10EB126933F89A5AE7C9BEB9879113E537D6C994C20FFBCE7283A845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:26.822{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D41B6186E3EFB96457793EDF49ABDB66,SHA256=D2F1DD38D986C848B0FEF188E0E111EDCFAD24ECBB2CD1D0EC6711F35DAC77DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:24.337{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-16015-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:26.087{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10672E9FD39635EA04071FE990F17A48,SHA256=8738533343C032C70CC229CCC2A4A75E249C1A07ED68DEB3BAE67DDB80ED82E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:27.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248FE415FEEBEE3AF6EEB056E8E0DA63,SHA256=BF9BD2E6FA62E85D4B059E15C352A65DC99879B48BFAF7855F5D21025578E507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C57-6154-E302-00000000FE01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C57-6154-E302-00000000FE01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C57-6154-E302-00000000FE01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.526{69CF5F33-2C57-6154-E302-00000000FE01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:25.426{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21639-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:24.878{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50769-false10.0.1.12-8000- 23542300x80000000000000001446097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.103{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EAFB0C7C34E42D89D8389BA81431BC,SHA256=FB8934B01BDB936EA85B495F081DFB073F6CFA8591739056D290C936CF0B3052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:28.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29DAB24E94F7DB0FDD161ECA737E741,SHA256=D8D6501490C86A3845699DF21A072AECDEB43FDD297D19E0E0C155BA58AC98C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.619{69CF5F33-2C58-6154-E402-00000000FE01}784404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001446128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:26.571{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27946-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C58-6154-E402-00000000FE01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C58-6154-E402-00000000FE01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C58-6154-E402-00000000FE01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.387{69CF5F33-2C58-6154-E402-00000000FE01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.119{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE20907D9FD26AEBA750602CD41F66EB,SHA256=E037F3E77546830F3EC42CDB305317E0690DCF5EC2336CA7B785FFA209E775F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.056{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EB5E838CC4397DA2420AD7D657D53E8,SHA256=34E8965FA54E74CE4A3EB2D389272CBC444101DB00158893DD691BB9529E3F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:29.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF4837A3F6792E65F4560ED92DC770B,SHA256=807AC0756EF0E2E908371FCEC0BAA2567D68DD261529F51882B093B532EAD802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C59-6154-E502-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C59-6154-E502-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C59-6154-E502-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.683{69CF5F33-2C59-6154-E502-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.759{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34423-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.150{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49B26828855AFA1AB9CDFBE4EC09A9D3,SHA256=841E1FE5B3ACD6050CF759B7DECF8FA1986D6B5A76FC5990C98FA41E78729E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.134{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22392C6A4B90ACEB35980C2FC3FF43F3,SHA256=43EB95B7CF15F47B3BCD0FB0C59A4A7E401478B732F3AAD89AF87B68066A53E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:30.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B52AEA9E6A8838E4ABC3867DAF5BB5,SHA256=DB5E5A5D646119CC2644B85DCDFDD674FC642477E8813183630F77EED90D4400,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.866{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40502-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:30.275{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9315D161C300072B6E4E108CB59379C9,SHA256=54DBB0E3A28E48D5A1FCF79A767ADF07316FCBA268F17EE78D00D22BFA9E1016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:30.150{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB2106593E53D1F3B006F289BC478D,SHA256=252431CF3D137986DD0E84DB42E22ADD591A481787DEAF67E8816CBB42FF59F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:28.539{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:31.542{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5F82EAD89FE8E4FA76AC1A9B573299,SHA256=570F9ABB7A5F30C8DF667C5474B936775008F8EF91AB97278E53E980388B8F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:31.478{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8AFF7E1669E4B9C15223D006A8E0D2,SHA256=77D10F6171DAC7894249C27C2EB35AD6EDED5173F6AC1F71543B17DCC407358D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:31.166{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8861782D20CD9DC9972E289143D16D98,SHA256=A138A83BAB16B4152A389D638AC9B6E47B52F700FE66F702A4F5F4D88CA8652F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:32.589{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758694008694B3F903104C73742472F4,SHA256=75BA425976F2C24625425F79A00C986EB71FBD9E2B16C4CD17E90BBA082BE91F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:31.180{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53191-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:30.831{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50770-false10.0.1.12-8000- 354300x80000000000000001446153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.993{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:32.556{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E37CBFF448A5A60A11BDAD42C16D15B4,SHA256=E02BA80FF044F9E5E1C2FB8FACA7BD0825825C1BFD3F7E3F07B2EA09510BA60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:32.181{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D24E9FFA0A6600FD878B49DCD2235B6,SHA256=41BBCD2C2D545E30632E79D3F69AEBDD980783D52F382504A14539739CC0ABBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:33.808{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9A7E42D72683D400F4B6E39F91809B20,SHA256=AE8E8F58F0E04F6ED6286B919F7C9EC21F93B4DA34D503910D474FCD6E5D88E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:33.605{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A195CB97204AF6B922F2152A957A7310,SHA256=39FAE12E0850AACE179B19B75C417297C6D2F39861E9E6AEB01BFD2CEF76B08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:33.681{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DCA423DB585F9A3B2D4CE272940B220,SHA256=9DE23783CA9CEF6F2FD9B7E35D4EEE29025F70EF49ED4C4E7EAB66D424680BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:33.197{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8987F6F0CCBE3327F2DD56709702EC06,SHA256=2601DDFE60DD56BB5C061511A6197FD35FCF798FCC07DA73B1C66E0855F77F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:34.605{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8299E23B66148137416B1A6ECED48569,SHA256=81C55F0D1ACA581B14E0753356545948769349483DFCA4F6D0C46ACBD718444E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:34.853{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47757E6A46371F8BCE7C99E7588277B2,SHA256=D0C0B29041FF5B2E87E6B37AEA2B575BFD4E616ADEB9A9C28AFE0A5D9F372E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:34.213{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC507FC420CBF2C04ABEACB10B3625FB,SHA256=911F1221BD0B79B30A584D7EAA4BB1734899BBF8C47C6AFD422D3823AB211407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:35.621{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C061DB09BD47793622569C947F40025,SHA256=1BA472A5CC12BD696BBC28F5E4A3DC5AECD95FDE466EC100F20703F9B89A5827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:35.947{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B48CC4BA7FF9A58DBB4DB558A803EB52,SHA256=977307273FC92B9105F80BB0E891BC233286F262B0B2231C5E4C10BE44662648,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:33.399{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6112-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:32.272{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59025-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:35.228{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCCAC5446C8EFA025BE3FDA4402B020,SHA256=389B20EFB1799A85021439B466B91A89F32C3C92E99522A6185A93133003D05A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:34.477{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:36.652{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579D88970CCD5726A16E6B238A6B8DB1,SHA256=04810FB5E030BD8C0EFD7BE2B7804A3346160AFCFE3BF8461F8C098B975E360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:36.244{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF831D5B6F577DE97A15E10E0BD34B3,SHA256=0BDAB2826713A62B9D151017F89F104485784B93CDEB327ADF080DC98A82DC2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.792{5EBD8912-18AC-6154-1600-00000000FE01}12721792C:\Windows\system32\svchost.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.792{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.746{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.683{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.683{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.683{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.683{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.682{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001541115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.652{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FDC305B3797ADAE4C82C349BDF4D33,SHA256=FAB06DABB4A7633DADDE8E1CD7B095D816E9795F8AD82C652AABEE70E6C1BAE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:35.648{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-18349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:34.571{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-12336-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:37.244{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFBC351FD3B2D922B40FC235CFF902B,SHA256=A63FBBE4D694C6F009DF3876E2DD23BC41E7A2FBB08F5A049A53EBD37C2846D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:37.025{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36A4F4FB312175D35FCFCBED4EF92B0B,SHA256=6A7B2FB614943B3C2F54C071BE309F3DD0B0AF8A9C197947935D15380B9D0B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:38.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D12E07306711C5EC8B4E3623C13D8D,SHA256=5C3D81A3CED812F9185D8F083E491D797F780F47B4906AAB8CB0DA137029C94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:38.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9376ECA515F3C644D8B6B5B5CE5FA03,SHA256=71EFF463E779379C7F1BDD6C9F81A389D43F3A5ED25AD918C8562AA72174A35D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:38.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B069609A610A104ADA6F1A73085EC5A,SHA256=DFB48A349709F003749A5DF9D0F1F32607738FF74972A5060F9F567D866A9590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:38.260{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53481E02CEAF197399797F5D3E956F82,SHA256=E0472ABB52BDB0746A069FD78D5CE4131B8C7A3E3D51B1CEB131B123EEEF5E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:38.104{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26685EBAAF2EC606E21EEE43DECC3DE3,SHA256=26D200E015B7A16C06FFD2265430118C89621783242132BF474E09E1BEE58D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.980{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBE6E7A1D50AF7C21560A7EB56FB78E,SHA256=0EC7B185AEFCFF93C05F5522CA4555475AF0C520C6B278D6883B47FCE9890813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:39.275{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9D9E688BF14DB25A7E3817A82AD49C,SHA256=F18460449CDCBD2F809868A3754788F4C4E908707D86B9F994928C0CF7ECDEFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.542{5EBD8912-194E-6154-9700-00000000FE01}50682368C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001541157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.542{5EBD8912-194E-6154-9700-00000000FE01}50682368C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001541156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.542{5EBD8912-194F-6154-A100-00000000FE01}44723740C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.542{5EBD8912-194F-6154-A100-00000000FE01}44723740C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.527{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.527{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.511{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.511{5EBD8912-194E-6154-9700-00000000FE01}50682368C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001541150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.511{5EBD8912-194E-6154-9700-00000000FE01}50682368C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001541149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001541148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001541147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44724384C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44724384C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:39.182{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C687442B16F060C230F9C0E39439BD42,SHA256=A4932A69C3C8FBCAE682C312DB9EBD0DA772AD7CE6A214E044EC9C9C93B9B144,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:36.800{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50771-false10.0.1.12-8000- 354300x80000000000000001446171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:36.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:40.291{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA4DEBB08878E1A32F8D76121D18723,SHA256=356FC3C8A78ADDD9322FC55346E4A0BB531B0F83A610B629D3BE7BB6DC11A2FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.933{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001541165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.933{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001541164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.902{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.902{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.902{5EBD8912-194F-6154-A100-00000000FE01}44723632C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.902{5EBD8912-194F-6154-A100-00000000FE01}44723632C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.887{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:40.260{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4265784C769DDF27500224C5AC6D1E66,SHA256=82319C9EF7845754B79119F1F78B52AEAE6AC0F17626A675A6B88841F8A673E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:37.805{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:41.401{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0EC28F84D35299FEAEA4CC135701495,SHA256=D855EAF7B1C04BA347062B06A1A6DD0A43056A4274ED79F4452CA5DC3A022B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:41.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453DB72A1FAB7B48E8F4C7D84DD4272D,SHA256=ED967087FFE3E12B93174EA6828E2A5AEC53B25839463BB6A9626B9882BBC261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:41.011{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9036ECB946FE27B77A128927DC900D,SHA256=537BF5E8EF7BF72D04432946D085C70C3FCAED680172170D6DFB19DE777A5AF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:38.886{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.979{69CF5F33-2C66-6154-E602-00000000FE01}1088712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C66-6154-E602-00000000FE01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C66-6154-E602-00000000FE01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C66-6154-E602-00000000FE01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.761{69CF5F33-2C66-6154-E602-00000000FE01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.479{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=813D4AA5558B53D049F24AB7805B312F,SHA256=2F2EEF9FF75E80DE10B1F3C8EEEC3D882B1D5009598B3B4EBE8A073E2EA2EDBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.307{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68D5ED1EF6212A34B20A27366D9B98C,SHA256=39E455D6BF5FB787AEBFB10AAF1DA9B525FB1C874EE21C2F9C81617BE1F3567E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.524{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:42.011{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9872BE89C39D8F7B1DAD5586ED5DFD47,SHA256=79AF72F35EE87C73B3F831DE4F01B3324F2F5FAFED717B39EA07669332A2C18C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:39.975{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41642-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C67-6154-E802-00000000FE01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C67-6154-E802-00000000FE01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C67-6154-E802-00000000FE01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.933{69CF5F33-2C67-6154-E802-00000000FE01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.744{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597778C27BEA489C166152DCCD1A6AE0,SHA256=B07A5D2D5925842F1D80858CC417F4FC4FD397E5153F8410F3C9DE0EC371993B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.744{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EF7DA7F032414FA45EB642AF908402F,SHA256=F37677C10E73D26EEB70C5FDEA2AB3607839BE033D1636905C03D84540B6A9BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.479{69CF5F33-2C67-6154-E702-00000000FE01}39162756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:43.027{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E46FAC64958589A08424C9E0F6C88F6,SHA256=DF920ECBA2A6715E835AA0185CC8EEA7138DDD585A26AB8E6315219A398F1392,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C67-6154-E702-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C67-6154-E702-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C67-6154-E702-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.261{69CF5F33-2C67-6154-E702-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.838{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91F9BD40319075984B6ECB9F37C11B10,SHA256=6FBA949178AF7EE2438F274027C9EBB869D8876A1174E5104D7752D9B8A10D6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C68-6154-E902-00000000FE01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2C68-6154-E902-00000000FE01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C68-6154-E902-00000000FE01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.605{69CF5F33-2C68-6154-E902-00000000FE01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.541{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2292007C0F59BA32876C4D22CF1E3FB1,SHA256=C927B01CC292FF32F40B227EB8D2242A63F4288D4063F54F5D9D56A57808AD3D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001541173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-09-29 09:05:44.808{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEC:\Temp\evil_spooler - Copy.dll2021-09-29 09:05:44.808 10341000x80000000000000001541172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:44.746{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:44.089{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4EAF718B52B3DC7F8FFF34B5FCC01C,SHA256=D8225657A3C7F0D8BD6D64E6DE3AB8D9EF26B9C318601A2526460EEA7019214C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.195{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53711-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:41.101{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47579-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.151{69CF5F33-2C67-6154-E802-00000000FE01}37923504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:45.948{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F37B72A621E46B28C3391FB9628A3DB,SHA256=BBCC9E6A8BFFB366A943436A256283ADFFB1017FF504B2F4A97872BDFDE66903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:45.588{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5553594B978EBE802AA5E85F1AB118,SHA256=DF9DACEFC99BDED07FCB4332774FE5042958BF6D250565D89DE07BB3F3188D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:45.089{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3661C27F6D953751BF1DB68A0BDDDFC4,SHA256=E9CC7ABA9226D51C6945585317CDB22C855512349CE70106BC7ADA84DD01D700,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.428{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.816{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50772-false10.0.1.12-8000- 23542300x80000000000000001446250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:46.604{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5729B11291145D2047B16ECD0C0E6804,SHA256=91CF4DF6279BDBA1126F03B5EC900E872A4D4EB08990FCAC6AEB5718214ED1F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-194E-6154-9800-00000000FE01}42641372C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.187{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.187{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.187{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001541176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.093{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4849DC4B9A1B37DC372E2261AD521142,SHA256=126CD3D7718B5C98E8BB3263EC48815223F87EC889B795E3423046C34E5534EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.551{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.062{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:47.635{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0A9C1322EFBA94D7CDC13CB7EC05C5,SHA256=936132985C33EDEA68C726C4833B1AFD5BE3AB71AF4C3B7C86923D444AFD3B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:47.093{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F558F4D31A42827D93AA8CDA4BE093,SHA256=60EC1AE2DFD20F33496E11333E9715B2374EA6063A58C5AEC99B89EE5C877EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:45.729{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:47.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30AFA911F39CC5E71310AA21B74B8DD,SHA256=A9BC9745444E75DBCB87292BBD6C66620812C9074ADBC5D24BC7F3AEB7E2A5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:48.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C175EF255A67132C99B1E13D27625D30,SHA256=B104417D418507861A216F9D0D1CD10E2D32C4BFD0ADC479393F394FFEBBEFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:45.340{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001541187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:48.093{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F7378AE71E9B0342A9700A466C2024B,SHA256=CD6FA3290B25C5BDF03025584D75B7F324F4B81B8CEB83895C16FAD13ECBC1F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:46.831{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:48.338{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A6C407A0052913C47EC46D1D240E82,SHA256=4A47B64ADFE2227FEA19F6D1381A16C13E268A43CF1C1C8AE07B26467D4662A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:49.682{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E2C4A0A0E3C1FBB0EDDA2C00647F32,SHA256=08E88CCC42E7D575E3793F21428AA63AA6B35BD7067A170D58FF191AD1EA6433,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.481{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:49.093{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42139581BDA014B0B875724121326B93,SHA256=DCE1CECE4875C914B9EB2BA9843CF47A7BBD989C44FE7A137869840B17515BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:48.039{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26291-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:47.878{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50773-false10.0.1.12-8000- 23542300x80000000000000001446257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:49.479{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=475F12D19905278F20F7089C894F7CB8,SHA256=94CE51F14538A17637DF41DCE5D85ABA86A1ED6A35A2331F698F0B5502F18762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:50.729{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC042F5763740D92868905F27DE3194,SHA256=9095E55E5E397AFB2A8566DBBFDF47E4338FF9FB59B3A5E5DB6F69B59539620C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:50.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47D28FD149E92145A6AE0E518005396,SHA256=190023A260276376AFD9251D036FC72CE144EADB64785A38398B7D4389465625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:50.557{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CEEC401D9BD45BAB517FB73BA9275D0,SHA256=713C6343D722CFC9CD46CD2C7B52169A48C493FA94D89688F56F0DA6E8DBFD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:51.776{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3866DEC6C42AFEB3A0158E305D6205,SHA256=3633437E03DCA705AE938155964AC481E850FB7E9C3C57F6C6F66BC56670C7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:51.234{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26B2AEAEBE489A18CB206E25914E344,SHA256=292B17E8B5896541A5328EB5035C3261C670B3F129F8025AFDFF8562E3EADFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:51.760{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C307F4776E5CC9BC35F28CD8789A3787,SHA256=9E6CEE592C8D904F8F193A40135E706230CF0D4BF285078B09D5439523A6AAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:49.179{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-32720-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:52.839{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CDAB1D080FF2EF7C22306EA7361CDFB,SHA256=76A6C65AEAE68C0E4CDB183275449F94EC8962D7D063F28132997F1C72DF620A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:52.792{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BDFF1083C08CDE3DBF242A5D7B1138,SHA256=96CBBDBB3D0C4C4CA5FA5E0151FC622BA5CF8BBDA6CF0AC31596EE6189A7956C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:52.552{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-081MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:52.236{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDA60399F34C29213488B456024F749,SHA256=21E8AADB34C868E1F5F6B8336D164E8FCD7750797D4686DB193A831BBAAB7D32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:50.347{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39221-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:53.932{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCE817663C20472C1EDA6B5611FFB840,SHA256=3F7C029CE89849FAAF8AA38AAA0A256728EE072073D6AF952130C9F946CAB7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:53.839{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFF1BA6F8418446AA8CBE6B52334A4E,SHA256=4874E6E429EFD1E09B6158DE6F9045A6A8B0C157040E24B6B8A39A8169397F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:53.563{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-082MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:53.249{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C49AC9814EAF5658EAB68E9051D1871,SHA256=9B0308C19BC55F84033D3E0D82145AA4BF5878A43593EE2656F0EE27B27111E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:51.461{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:54.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13A2606F962715FF9F995084A53C3DE,SHA256=BFA3B73EC00A2B721811E31B37F2E3FAAB2BAF9D809439361C5576374B71114B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:54.472{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B26569BAA03C26C9FCF00B3658E9AE,SHA256=DAADCF198F5972C6B888743433EA51DEEE4B1C61879A0D7F939A159B4EE798DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:52.539{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:52.371{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001446274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:55.901{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5706F2D21634EE47A66D323D7F33876,SHA256=15C1E4D4FD9147F148F912DE25E081CB56DB3AD10C8027A0257FA986C2C538F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:55.519{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8198FD7D232AA9C798D72CB46B94274B,SHA256=06C8E0D738A8BD95D023AB6C83501ABAD2A7ABB2F36293AACF14EE43455B2D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:56.932{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA320E56B3F7AE0C9591D97EEBAE8E6A,SHA256=2ED87AA995A4E7149D1AFAD80976A588F9633185A9AE60DE9B0C305BC9D56527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C17CA06F58D94104F8A25DB104D31DD,SHA256=A7135AB8E0396F8C7D233C18C1789A720BB857A11BF44C969EE849D197EAD207,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:53.894{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50774-false10.0.1.12-8000- 10341000x80000000000000001541206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:57.948{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F83D893CB030576C9A4D2399895187,SHA256=B415F263E20C61046F3933E4BC198EEEBDF2F8CEA8CACB532E8C1E80777726EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.972{5EBD8912-2C75-6154-1E03-00000000FE01}54644868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619269CA8D1EE97276236D96E0B9CE8D,SHA256=E6E866279657BAB11D3A180B9C1F325D7F012643696D635D3BD406F441E8E67F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C75-6154-1E03-00000000FE01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C75-6154-1E03-00000000FE01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C75-6154-1E03-00000000FE01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.660{5EBD8912-2C75-6154-1E03-00000000FE01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:58.964{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF28C5327747F314E72B33709DB4DAE,SHA256=E6337837C4171A29B9F0CB2F400189894DB53633583FFE71933165DB1666863D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C76-6154-2003-00000000FE01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C76-6154-2003-00000000FE01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C76-6154-2003-00000000FE01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.880{5EBD8912-2C76-6154-2003-00000000FE01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A83FB82DA3D202D4C52D2C7637388383,SHA256=D8C3295E27CEE7BC75507A91303C1752246113F947E34114E864F61E6D7CA32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D12E07306711C5EC8B4E3623C13D8D,SHA256=5C3D81A3CED812F9185D8F083E491D797F780F47B4906AAB8CB0DA137029C94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C66CD7E3781E5E136ED836A9925498F,SHA256=BD907E19F954C54F30ABA135953EA7B3CAB3CAFDC5BB2168D0709721DFA1D893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C76-6154-1F03-00000000FE01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C76-6154-1F03-00000000FE01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C76-6154-1F03-00000000FE01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.332{5EBD8912-2C76-6154-1F03-00000000FE01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.878{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A83FB82DA3D202D4C52D2C7637388383,SHA256=D8C3295E27CEE7BC75507A91303C1752246113F947E34114E864F61E6D7CA32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEBB018030DFBC856E79D18BB62675E,SHA256=60324F48ACED337EF8E6EA57C75E7EDB2D2670E114A26FE83F343721A248AFF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.097{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.093{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\temp\w32time.dll"C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001541248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:00.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9241DB6DC98D9D9352F18E1EA95284D,SHA256=674F8098B909B3413B6BBD076195599FB5F37157CB6B9D3164C67C7C422D6CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:59.995{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454976D0A3BCC22556652E1CFC8F8AA0,SHA256=0D5FD595187EFADFF44BEC7A9386B647C2B1D0475DA632907D6032D84F49A27D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.375{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001541281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.821{5EBD8912-2C79-6154-2203-00000000FE01}24725448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.800{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99238B0DB642C7AF47173C980DE36A12,SHA256=A08084180C1FF05B84A92DBA369B497BDE5FF12601BA1F580856BEC613B2CE01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:59.894{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50775-false10.0.1.12-8000- 23542300x80000000000000001446280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:01.026{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E81E4A413A65CC5CAC9F5994ABCE1F,SHA256=E484466131991A2844D82E560CAE2C289839C6CB8C4AB2D277E2118254A94DFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C79-6154-2203-00000000FE01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C79-6154-2203-00000000FE01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C79-6154-2203-00000000FE01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.551{5EBD8912-2C79-6154-2203-00000000FE01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DC35E946D646C72B013A81BBBA717AA,SHA256=49AACA5D4E79C7F9B9790E9DB6C1096BBC43E0AEB16618D8D15CEB05E2592FB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C7A-6154-2403-00000000FE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C7A-6154-2403-00000000FE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C7A-6154-2403-00000000FE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.863{5EBD8912-2C7A-6154-2403-00000000FE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.800{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF0F2A1F01058CE5D2EDF0CB21BE536,SHA256=865D091A02DACA302B79E5047301C0B2710C84F7EDF38DBC7D4F26DBFCD0C40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:02.073{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98C811C7508536D68A8B5DDA16A6EC9,SHA256=8944D56A600F456BCEBAEE9345E438657D99BCFA631D4BE341C6C5A3AB71ED4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.784{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25D88ACB73FCB87A863060AED3E00235,SHA256=E8BD85A8A9A134226425778A1372026919F1F1901344B55A059D424584A8CB44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.582{5EBD8912-2C7A-6154-2303-00000000FE01}58244436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001541291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.344{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65129-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001541290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.344{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65129-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001541289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C7A-6154-2303-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C7A-6154-2303-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C7A-6154-2303-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.363{5EBD8912-2C7A-6154-2303-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:03.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7BFF8104033958C1EDE04B2B469544,SHA256=6AEEDD993756926D4932610E23F7CF1C7BD141BF7201883775D462B4DBCB2467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:03.940{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1405B06E06B7D2EE24181E5C89C108DE,SHA256=3DAB6179EADC682AE6C5441919CCDCD1C0AAC9ECADCB466332BC427A5439D33E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:03.065{5EBD8912-2C7A-6154-2403-00000000FE01}33565936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:04.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BC8CA8FC06775629792EC367F5BFCA,SHA256=7A4E9F831344686A1F1A06FED9D079FA63A8A68CF0054C07EBDF1C82F51ADFF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C7C-6154-2503-00000000FE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C7C-6154-2503-00000000FE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C7C-6154-2503-00000000FE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.660{5EBD8912-2C7C-6154-2503-00000000FE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.422{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.019{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22456303B2CE8A234F2355A832347FB,SHA256=CFE87855D280365080468303AD698DC1FF984F5E65296D0DE7164EE27F24A3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:05.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35A11D3467EA3EF8E15E272483C25A7,SHA256=8D73F9D792979D22C5BD0B75E0246CE9D6110A2159F2EF1B6E4E58830F1FDCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:05.668{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5B29C340FB1C37CF532FDE72F98DA0A,SHA256=8D2B7F943507F3FD758F25A880DDA7D7559FF732A119490F119D8FC2B1F795D0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:05.605{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\DllNameC:\temp\w32time.dll 23542300x80000000000000001541315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:05.019{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005BC86A4819518B02D68576C962D0FE,SHA256=20A30EEBE90BD61C7F4BA268E972B070A3956D8DF05A51469D745E42EEB14D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:06.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E959923F5721A26C7756615BC4D80CA,SHA256=9093E4D311EB5833F88A288B8812126D25BFFE197D3ACCF27C21F26DE8D38B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:06.043{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C1E5762A53BF6C815E6B6EA1797943,SHA256=E034E32021106278C196158D1792E72A04DFE3599FD0FBF6FE3F02727E6A1B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:07.043{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931903D9BEB99FB2444E3F090BFEE203,SHA256=787FAAEFAFC40FD6F18EA0B5CD14A367D9AA4800D04E6E8F97B27558942ED801,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:05.816{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50776-false10.0.1.12-8000- 23542300x80000000000000001446287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:07.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE702C953183A8498ACA69E132C483D,SHA256=0661B2844BB027E9FEAD4335EA5E8F7B7E72942B3D823FB57969D01AF468689F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:08.043{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03AEC47AC8B4FBE16F03A01640FA91E,SHA256=06628681DA9DD59F63DA210701094D9F8AD8AD4D9B578103BA64689FF7F265CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:08.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79D9F0BBF6D506B452A76C12D7F8971,SHA256=AA7F3B340CC67D211C0313747438DECC953FE88E289970D2EC5ED724CC047B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:09.043{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E228BADDE8D5965687739E7275CE4664,SHA256=4782E3EF0E7BDAC61B12E3D9B443D35E00B2582D85D1F4DA03ED13E8CAB35925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:09.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEAF9324E3E916DC09BADFB6FA74C5E,SHA256=FF1B01B43C1E19895F736E40E1CFCB7CB2638377987230297BE7C4A9E11F9E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:08.400{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:10.230{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA5D12C785A0F6F840E256675621D16,SHA256=C9AEFFEE01D4077AEEE127496B0CACAAC8C37A45B5518CA15872ED3E8797B4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:10.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5140B170E24D940677CEC993A48CEFFC,SHA256=32646BF4ABE203789F344F5FBF07398F154342BF88CF5215D32E294B415962E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:11.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C5C3064BA01358F9DFA65A9F15C115,SHA256=EC48D805D1784E62D1C07980ADDED60D8F5F3B9DCAE1E35BAE56ABC986A0439C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:11.246{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BA072E04C4DB8CB562A539F18A7257,SHA256=26D0C5AD29703E02749670D8697BB7836A34A8F3DD466BDF3E1B03B3017C8F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:12.246{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0147B9595BC02B56FD53C19D9F8A7FDB,SHA256=3F6E9FD000B391972E191F5E3119210525DE39FFBA86BBCB814E877E3A03DA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:12.371{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91706382D28BEC8AC5DBFA297B7C0D3E,SHA256=2DFD9D128FAB58AA11EE4050086242CD0E04044E795C6C0C4DF326F87B676FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:13.293{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAE6364799F475C0E9A5257D9E85CFF,SHA256=7A852BFA968AE79EB7F49D129EB2E5F4CA48094F2E1998F9AF866F80FE696CC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:11.800{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50777-false10.0.1.12-8000- 23542300x80000000000000001446294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:13.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6434CA97551F3DD2888E2756C90FE3,SHA256=F634B0444AEAB1506BE68DB5EC8988B41B5CC640EEE3E823490F14914394919D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:14.308{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8DACE49EE4E31BB3141F043CBEB837,SHA256=D6334674389FCE1334D61305C7AE8D22AA986408A1CA1ACD79C2536B4486E630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:14.886{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=046B3D4CA12E114390A6A84AE40DB926,SHA256=3138B5F0C97EEF872FD4EACC19C26B397350E1329096BD8E87C2384FBE04E85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:14.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16A74B62F3B72E44C3E42AC017EAD3F,SHA256=232DA50F5EA26C92C78095AB4913D5B657195E4DF680A6AFAB496F9886E3D1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:15.464{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD118443EADC2172A1E111E50B421E4,SHA256=13CBED111C491E3FFAB906FADAB05B2AB36B6BE4606F8967220084583EFA7587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.308{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEB9CAE76B7A271D348A6CA95285424,SHA256=9D6F16AE99EABFC01E3D4FA16275357B70736F8969E8BCB1DD6D5A0B46776A73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:14.353{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001541340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.433{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.433{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.433{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.340{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE13EEA851DE0B700F8D39ABB30CE52,SHA256=AAF52B237949888F60A31D13C3D2A5903A71CDF1E816C9064BE930548C78CE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:16.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE64EAD166A43C551A2C1601D91A63F,SHA256=034C5D320AAD4184F5431A082CBB04C3A970DD183417D6AF9AE67EC5F3DF1AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:16.168{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-2C88-6154-2603-00000000FE01}5156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-2C88-6154-2603-00000000FE01}5156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-2C88-6154-2603-00000000FE01}5156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.226{5EBD8912-2C88-6154-2603-00000000FE01}5156C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClientC:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x80000000000000001541349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.740{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60536- 354300x80000000000000001541348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.739{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local61629-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001541347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.739{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49846- 23542300x80000000000000001541346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.574{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB029669DE402FE7C9927E2A88457B6,SHA256=6151A7D2D8F4716F675D035FA86EC1B311B93A7CA51297B2BC238818E24602A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:17.496{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F77DD5667298612F2A48D4350F579B0,SHA256=31C076AF6DA95CCA9EAF696AA83E8BB9F5C001BA4337F0D406C61C387F035113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.433{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FE6F6A8B4B618DFAF6ECF543510CC9A,SHA256=8AF328D62DA7741943B551CB572923776D75BE485D8221D3920097387B83FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.433{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4E70F997C0339C45B279D6C8670008B6,SHA256=94A29E295E7739EB9CBEC29340516872F9D9378F4DCC246266C845AE70040942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.293{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0935006CC79ABF83EDA1CED7DC2DE4D,SHA256=52C9730E107FEC0131CFCCEB5A7A91B965E169C50245CCCBDFB7C8F1124060BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.293{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13A6ADEE636E3BA4B16E7F07D6716BBB,SHA256=E70396E26017AF580FBC1B42535826DC484BB6B4CDD687E9EF2CD25D0274B4A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.744{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local65133-false2.16.106.171a2-16-106-171.deploy.static.akamaitechnologies.com80http 23542300x80000000000000001541350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:18.590{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FA1C3C4E5DDC23E215B9E0724A29AE,SHA256=B59A4B7DE48D82015492E4ED439178387FE59BC41265925C0CCE430D7F430B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:18.497{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F3DC482621BFBE8E94D47687EC3533,SHA256=F43D55B68865FA46BDC0552632A824D64BBA0298D1648BBA0D4B42DC160E89ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:15.831{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50778-false10.0.1.12-8089- 23542300x80000000000000001541352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:19.590{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD680C2C9E171CD57B58F70DDEC65B2,SHA256=8B1161C5331F80E2DFE831B11E071F24712B5661EAC5EB7E4CC746B8883F4EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:19.528{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B3A01D8AB92A1B1C4FC578E8958798,SHA256=A99BE5C8601FF42B470CDEBE7430B966CD0F4AEC68320AA12CB6E918DCA58E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:20.605{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D57F50A88C75B6BE552AAF4ED15D254,SHA256=9350C2E03AF9BEE225ADF9B38361005325F8378380D5D2733D39BB574628FBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:20.544{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB58C8B84162BBBA5FF5A1C434375B81,SHA256=AEC41DD2E12D9510DDF5FE4DCD6711BF630BCE03D6CF1595AFC9749D622C3709,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:17.769{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50779-false10.0.1.12-8000- 354300x80000000000000001541355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:19.580{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54250780-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001541354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:21.606{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2261972EA6E5BDDD7D505ACD9DB81715,SHA256=32035D388D30C3BDF239E808AE58EC89ABDFAF69E27212E80964830479ADB79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.575{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B9F7610AD4F4D3EA05262BAC5B4852,SHA256=8D2F37645EFE0A576F23B2B4F1565B17CC436ABEB2360EF01A300B02E51231F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C85C7A2716C7986086A2C3CE841CCC6,SHA256=75CE11B09E1917C2E48AA972EB4396B6ABDAC69DFA25EAD692F5212C56420BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7086BEF46EA4FDA2508CA103309789F,SHA256=7C0FB8441DF440C86867249D0FD48C08419DF16CA70EFFE2A7F112724B30C6A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:20.384{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:22.840{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A8FA05112849230D2BE47A7D5E8068,SHA256=B6916C45C39DA3B55E416288CC3478FF99E878D4CED9C6D3CFFCDC43A6E8CE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:22.607{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6D504341FC546C37333DB6F871D271,SHA256=D9966D141F13287E29A0DBB82D4F8F8E2CDD4A1C32902C86D586197FD02E8ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:22.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C85C7A2716C7986086A2C3CE841CCC6,SHA256=75CE11B09E1917C2E48AA972EB4396B6ABDAC69DFA25EAD692F5212C56420BCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:19.931{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:19.905{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:21.381{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54256290- 23542300x80000000000000001541358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:23.840{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9903CBFD2914721548F7F3335B55BA80,SHA256=EB03BA942ED29BA2C196B6176C49E219D1443A7B3F96D246582549A69A2ECB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:23.638{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699608376D5DD0A2FD4A6E7E2016FF02,SHA256=FFD62E9EBF61A7DE03A07B938086E5E944B2024C9C2ECAF61FF49F9D0D6BE6DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:23.559{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BEFCA44CF25D78BC8B046A39678692A,SHA256=F592CF90D64E3FC667D66C3DEFFA53CFE5CBCA32B291A9D347062292145E5A44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:20.015{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50780-false10.0.1.14-49672- 23542300x80000000000000001446314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:23.124{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-082MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:24.653{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113C4BEC2237A3BBD3AD3F79FEE26F19,SHA256=47F4D0A3EE8EC661A85553710F9BEC1EAE0C00FDBC33D7C3A38A0D80EA61799E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:22.181{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11065-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.823{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-542.attackrange.local56290-false10.0.1.14-53domain 354300x80000000000000001446320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.816{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:88d1:47ea:8a92:ffff-56290-truea00:10e:0:0:0:0:0:0-53domain 354300x80000000000000001446319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.072{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-2661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:24.138{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-083MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:25.700{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4145CB39276697F867A557B3978D6BA,SHA256=696D7B34C5735B5AE72174F6099255602D6F81A6B4C9CD55864CB2C15234E769,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:25.203{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x80000000000000001541369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:25.203{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastClockRateDWORD (0x0002625a) 10341000x80000000000000001541368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-2C91-6154-2703-00000000FE01}648C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-2C91-6154-2703-00000000FE01}648C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-2C91-6154-2703-00000000FE01}648C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.217{5EBD8912-2C91-6154-2703-00000000FE01}648C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc.exe stop w32timeC:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001541360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.058{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D44D8037E7CCCA5EDEEC3B9719F12EB,SHA256=069891A89097F6E11F35BDFC8B9C1F9A884C41B93D44A4475C9C84AA3734E2E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:23.288{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-18821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:22.894{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50781-false10.0.1.12-8000- 23542300x80000000000000001446324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:24.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD602476ACA36D93A490FF732692A74,SHA256=B0B91193F0361249A4CC8E46480B00F0C9D8B095DE90AF26472AAD5BAA93F794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:26.731{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F768C8EAAF894700043C491510C605BC,SHA256=B5D90CEB8F04DDE8845ED316C22FC90D6AB2F92039C02CAC1AA8105C84EFAEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D78C23013C9C162E4F4BB45A08FD3830,SHA256=172A626EC923B0919A4F6EE1B31019B242FFA263C372D0A7200D2FE74345DD71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FE6F6A8B4B618DFAF6ECF543510CC9A,SHA256=8AF328D62DA7741943B551CB572923776D75BE485D8221D3920097387B83FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90235D321007CC43A2A459E25E281B3A,SHA256=CF3F7C1F16BEB90BB0656F9B7CD40217B8910F5791CE4E05BC5FC8C6FB245D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0935006CC79ABF83EDA1CED7DC2DE4D,SHA256=52C9730E107FEC0131CFCCEB5A7A91B965E169C50245CCCBDFB7C8F1124060BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5E630E90E68D2DC756D48727115DA5,SHA256=AD0B6BE604BB9418863375138E05E791450C630DA91693665FBA27514BEEE609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:26.122{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE157892BF4565B6D50EA9ECF46B02FA,SHA256=9C49E7443C908B0D068435D0DD20FFD49D8F131BDD08153F4FC8F3BD1893A1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBF56672BC9240D11103A13839FEDB6,SHA256=A8871D7E8B895F2B640719F262A0CC81C231EB4D4C915C4A549907CBC52122BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:27.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9F4B4E2FAD8AAD36E497F52C5BBC6B,SHA256=2C7A83FC1DCF77E70438DC85DAD1086550D63A2EF49583BE2F7FFB93AE2CCA0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C93-6154-EA02-00000000FE01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C93-6154-EA02-00000000FE01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C93-6154-EA02-00000000FE01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.420{69CF5F33-2C93-6154-EA02-00000000FE01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.372{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550745DDB2E885AFD7A6DF958AC1E740,SHA256=91A5D0DC0C74AD7EB457FE6A4492DF61584A1B9B84F246F58E2A7ABEB60210B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:25.828{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-37632-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:24.707{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28911-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:24.530{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-429.attackrange.local138netbios-dgm 354300x80000000000000001541376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:24.530{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001446362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3028E54B949EBB6092C84D48805B31,SHA256=70F2764E70AE281BC5D3BE8CF26FADA295E6F917D683C7D42BA667F3D0E8141E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:28.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8507011A700C1467848D767B6F8D8D2A,SHA256=E1D158D35FC8936AF894FABEC3CE23E88ECC88B9C8F9BC19327356330FBF9AD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.513{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001446361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.622{69CF5F33-2C94-6154-EB02-00000000FE01}5123016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.434{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A717901676F94D43847560C9BB53708C,SHA256=AAE5D5EAC25A0FE94137ADE5A33FBB867F79D4DAD41F6BC8B096D1A148CB067E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C94-6154-EB02-00000000FE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2C94-6154-EB02-00000000FE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C94-6154-EB02-00000000FE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.388{69CF5F33-2C94-6154-EB02-00000000FE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.794{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8ECBDD093ECC1FCEDE7A90E40860CB9,SHA256=46243EE12E715F14964710BD2EAC034CE28A4E07EDC05914D43D34BF364326C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:29.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764DA575B7B0D5B4173A2C08810307B7,SHA256=C1E4AF6C9E76B4DC6B9AC37AA882BA6E18FCB7D3400B1DEA128FE476021862ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C95-6154-EC02-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C95-6154-EC02-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C95-6154-EC02-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.701{69CF5F33-2C95-6154-EC02-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.072{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-46738-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.590{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF471AC768FEEAD41C1295A24889369,SHA256=0C94F0ECF09E705399A972CB2AE8B6A69C185C1620901F7525E0B49737BD1EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:30.856{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78AA2DFE30013C84DE78166350695CC,SHA256=D57001BDD1474A654E7DC0A1A19072CD2878317A1F9B26DEDC78C12DB188330E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:30.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91688980F691D20FD9D3065D2976EF2E,SHA256=1A7F177A21F952DD1B47EC1779FFB45FDAFBD49D801FDA0E89167511FF8CCD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:30.778{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D848BEDF76AA399FB00FDF5A2A500DC,SHA256=6BD274985B9C4193F867ABE30F0CCDE9C91201A01708631A160675D1251A9E61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.180{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-54902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:31.887{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6FE29F5D7FF8DC1651A338F1506F27,SHA256=8430E3EDB566C270AB3963B202D96ABA64168514E09EDEE67F708F296A4D41B6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:31.413{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b511-0x4b5e97e4) 10341000x80000000000000001541394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.413{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.413{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.413{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-2C97-6154-2803-00000000FE01}2296C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-2C97-6154-2803-00000000FE01}2296C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-2C97-6154-2803-00000000FE01}2296C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.408{5EBD8912-2C97-6154-2803-00000000FE01}2296C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc.exe start w32timeC:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001541383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AE603FFB8953CC59EB47013FF17B2E,SHA256=02CD040474CE685DE2B798E8656409147768F0396CC13B32DE0318AEB822F282,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.863{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50782-false10.0.1.12-8000- 23542300x80000000000000001446387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:32.903{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDCC4702559B73CBBDB829265163B5A,SHA256=DD387B52A847D99603FF24081C38CE8149FBA6F89B7DED4BA4176129079AACC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=241E123D780A5BA8967CE83B468B61DA,SHA256=9EBEC37C2349ED5E8FCFBE66DB5202BF545F90EDE4A9734C3B34864F8CB85256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90235D321007CC43A2A459E25E281B3A,SHA256=CF3F7C1F16BEB90BB0656F9B7CD40217B8910F5791CE4E05BC5FC8C6FB245D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=090E67D2CFA8E8077271225BDBB6FC9F,SHA256=4B5C017FD13A127A77EB981886711F499FB9C6BEF3912ECDD24E2D6751D1F404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D78C23013C9C162E4F4BB45A08FD3830,SHA256=172A626EC923B0919A4F6EE1B31019B242FFA263C372D0A7200D2FE74345DD71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.085{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF3524B9CD6D95BB93AE19A6DC97EF9,SHA256=17D4A6C41BD8A8B4C2718229541B5D38DF373A5729780D74393B08E0C7FF4DE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:30.617{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-13643-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.293{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4659-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:31.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C28868134A683DC48F08C05A978CD55C,SHA256=7ABA28CB35A168F87812D15BB194C18B1CAE646EB47CAF65370FC212B1D06EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:33.950{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A584CBE69A0E99AAAABE63906B0F457C,SHA256=6735A86C0E313DF1F3F5A0992D11406AC3CA8EAB7D4DE95A8128417F5ADF9A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:33.788{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=033404588B66CDCDCEBE2058824B8913,SHA256=F2CA34498944616A0439F323D82C6CF65FB4A4E0B674A2194AC0BF2A6F712FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:33.132{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E58E2EF1AC5E97604AF397B1683B3DB,SHA256=5CD79518354CBC4282EF1AF6C9DE2A095C44ED15C71EEC48C24FF872410B9F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:33.091{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9683858DD29CC9A386A82D0A341453C9,SHA256=2FC229BFF0591DC96B6FD38FEF1A240D93CFCEE3D0403A67F730A31066F71DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:34.981{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B070CFC372691B45E2F7BDC18F8BDC,SHA256=0E780C36A6DEE0B9279436405D3BD24B5F6E5DC0E35A16B9896A6261639AF4BC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001541413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004e4644) 13241300x80000000000000001541412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0xeb525a81) 13241300x80000000000000001541411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b511-0x4d16c281) 13241300x80000000000000001541410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0xaedb2a81) 13241300x80000000000000001541409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001541408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004e4644) 13241300x80000000000000001541407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0xeb525a81) 13241300x80000000000000001541406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b511-0x4d16c281) 13241300x80000000000000001541405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0xaedb2a81) 23542300x80000000000000001541404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:34.272{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0869A0B6D8CE95A30E9826E455B92C,SHA256=98393D45A1AD83DE96C7C2B4824DC11395A9F6122AE9D54ED88B3D2CE4E3F310,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:32.801{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:32.345{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52044-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:32.309{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-51950-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:31.697{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-21930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:34.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14E5A80D0BC17CD59A1E1C2D6ECE883F,SHA256=094F510CD8E2D41E743213787860B14B476D9F7824B0818154AAD0E26C3AD35D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.420{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:35.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9495075617DBD94A76400561D9AD7A8,SHA256=E69001133D5B14C7A1D8B6AFCE4BBE097EB39F999789F331DAD1124B73578EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:35.372{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CED2F756CFA6CCA831A95674CA9BD14C,SHA256=8724F1D092370DC7CD3188D9363F9D04F6723EB497C37DD5504B553CC6077A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:36.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD04B4CDB034218345444C6FE1521D2D,SHA256=985C403259BBE87300353A059F72D949E84B74A19AFB2C1C7EAC0DDA3E14E794,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:34.878{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50783-false10.0.1.12-8000- 354300x80000000000000001446401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:34.524{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:33.973{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-38642-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:33.447{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-56849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:36.466{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D06A61594FA7B63717887F619B4FEC8,SHA256=6163C54431E2BAA4A9201C865CDD10ABDB44EFF5A0CBE0BB06E0931074EF38D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:35.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DEC855889B622583F27C1A9470A75E,SHA256=B1559EC325D55CAC9535E0991EDD9BE022FAAED8B471233D22111FA26DE5FBB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:37.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E780A73ADFE737C7080EAB3CFCDFE603,SHA256=1620726F001D19DDD0C0424CC811D22529329FD0A0950A4C3DB3F8B51381B0BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:36.166{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-55120-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:35.602{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7074-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:35.086{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-47202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:37.575{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=577025D0B11DA970CED622750ED25C01,SHA256=444082975AFFA9178E486ABF0AB568A51992D40125655632B688A464F0AF9594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:37.044{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3179A93908BFBB89D4264E16768937D3,SHA256=7CCAAEE8EF27F79014BC19238403D9D7875D0E8041AE5F848CAC353490E1D5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:38.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888FB34EC42FEE8A9557196C9431C644,SHA256=E53AE9BE5676461FB4857619187213C90390BE93C65545A27D9014D296977A91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:36.692{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:38.075{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C13E66233F1B28CECFD8CC08DE9E85,SHA256=A2E54BC9B7A9E949AA55B8FA7A843D1CFDB34A725AA79381EB26C1E33C4959F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:39.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F3803B3549F89A740F1717D92D7C99,SHA256=3D1E5FA2B77A9881B36F119FAAAD93276F1DFDB6907716CC202BE3F08EE1A2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:39.294{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=069B8751ABD7EB7F51B1DA133552B040,SHA256=ACBA38B9DD709C5433DF3647417FDE5C09DBE9B804D0EAD18E63F59925818206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:39.106{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F53A8B1C0A5F2E8CF33634F79215C6,SHA256=ED02AC887A52EA913D2BF9BF784F9BCF82231A6706B7320C352535BCBAA7194B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:36.560{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:40.413{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9B19B3F5D09325AA742D52979FA777,SHA256=5D7F236E10BE63A3DB634C8BD09030AB35CF75A1A0BA4DDC8E378F0CF443CF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.388{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A11269C2C05D2629398A4033BB9CF1D1,SHA256=9CF618521DBFE09568A0602AA3DE461619E6BC880A6F14C39BF336D60B580AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.122{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F273180D29A3524115C20118C7658D,SHA256=7C86A304F27F746B2DF8F5DE9DB6C52A049C865C38A52E5291D6EE26423823E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:37.888{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:37.289{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3958-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:41.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370FE7A605BF0626B7F74EBAF758DA5A,SHA256=DA3ADA11A6B17DD928DD3D7B2B0D55D0748023C9FE3B0C8F3DB5261A82CFA0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:41.497{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8773A5B2B3AB3E2DFC8699447F5D7B40,SHA256=0611F13F4C865E1DC5540FD294AB821C3DDF00B9CB11B5DB306BBC5EE5524A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:41.153{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDCD1D6F13331EEA25A9CDA69CE45BC,SHA256=C02B47C7828FA8AD6CB7C2E5A75637AD999D4BBE710987CB7CED8C466A2E610F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:39.023{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:38.993{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-16094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:42.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E0AA5E7FA2D0F7326BC82A4EAB1116,SHA256=A74FA4B6B944C4B6B75599DE98428DB08FD6635691D7B7B12C67438091E16369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CA2-6154-ED02-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2CA2-6154-ED02-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CA2-6154-ED02-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.764{69CF5F33-2CA2-6154-ED02-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.622{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B44955DED0CBF7F71FE7277D770F0FC5,SHA256=D6FA6C94790871DB707B572A7A1DFCC3984F7425FBE9E2118135819C01048CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.169{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B570D4E1F540838EFBCB7508A5C10F4A,SHA256=6BBA2FF10BB949553D4AF7C5718A25A9BEAA80ABDDC15EC8C13937CEE6046672,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.146{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-26479-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.089{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:43.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F0E528E2D2327DCBAF5B39229BB18A,SHA256=674407A2FF07A6E2E858364A770EF015029AE9B805685823CA815981D7FF09E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.997{69CF5F33-2CA3-6154-EF02-00000000FE01}22721920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CA3-6154-EF02-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2CA3-6154-EF02-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CA3-6154-EF02-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.764{69CF5F33-2CA3-6154-EF02-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.747{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF803FDE6C2C9DF53BB0B8857882928,SHA256=A0760AE10FD68FC5FF43E676DF39B75ABB45061D853E2A23674DBE066CEB7021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.466{69CF5F33-2CA3-6154-EE02-00000000FE01}1696728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CA3-6154-EE02-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2CA3-6154-EE02-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CA3-6154-EE02-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.268{69CF5F33-2CA3-6154-EE02-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.185{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3430FA8129BFCA5E458643FE93C430,SHA256=1A7188DA02F613742E432BE80F06D90C2BC257ECFF70A375F71392D974FE7F96,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:41.299{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31342-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:41.209{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.722{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50784-false10.0.1.12-8000- 10341000x80000000000000001446437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.997{69CF5F33-2CA2-6154-ED02-00000000FE01}34922256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:44.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051427D4FD594603C97EEFB61837520C,SHA256=61F00EFA5D04B54BF64621EAA503912822D1A291C2543FC062E0E5BBDBE4BBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.825{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26F3EFA3AB181DA1B7E4F63585C6BE57,SHA256=432A8F245F665EBD8B0410EF1B6082DE785BD834D7F02A2DAD6DCB8E602AD593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.419{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24411EBA9C48F3CB77A345391B24667,SHA256=3152AFE9468D4EA1376D457A9F671EA098C64665199E603CD6364AC29CADD2EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CA4-6154-F002-00000000FE01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2CA4-6154-F002-00000000FE01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CA4-6154-F002-00000000FE01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.264{69CF5F33-2CA4-6154-F002-00000000FE01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:42.467{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001446471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.321{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:45.621{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07571EF5961517C5C2B4052915A256FC,SHA256=CD5D28ED00F4D97E5A649403D9ED664EAAA5EC69748E06FF9F05704E50308C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.294{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA4D0DE6C7F8AFE6E5E996B69E11E50,SHA256=28C668A0779B44A69398C54D9791CA352D64F8280223E3AB0BD7C400C51FB23A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.556{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.525{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.477{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:46.668{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DF54F966CDB452728557247B23716D,SHA256=89F5DAA2A968910C19D2ED1E3795C3979349CC2E77698C506940FEDC77A9AA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.341{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EBABCB6DADEC4689081C093467FF51,SHA256=0813D91657045D96656DEF8AC55DAA96354B50EE333A3860BC08C0747C02416A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:46.058{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.664{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-57399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.651{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45775-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.013{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=776E020691BAF8BA8A2B4B727EA2DC67,SHA256=782A0DF2B8328A5B494F81831996B15583CA4A34677B520772C805F23BC40F87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:45.362{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001541430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:47.668{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AF7C23DD896AF8574A28B84111DBD7,SHA256=C57D5A2637734C6D3F0351F536C52FC52F2534F8C2FA82E94AC0C601322B471A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:47.372{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061384AB11E137AF54B4AE241C8E5BE7,SHA256=B545407472D4E4E55296765AE55CB6A41DC2AFBD66EA08CE1EE7B47DD21E0948,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.555{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.528{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:47.107{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32991821341715241B4C6D1DDE40F1F5,SHA256=707A58CEF5FA0A35B5D5399F40FEDE8738B79822F5BDBE10EDD0718DD9206E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:48.700{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E1DD4E950A7636E514E857AF0294C6,SHA256=BCACC6CE47340C3FB0F692434C3D3F2DE5D2171BAB3C4859A2EB7F40C4098C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.388{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0316DE103B205FD591FB4ADE43ABC9,SHA256=79C4241009AC941D463415216798A541E4A9133AC32B6B61A695B643EA1D785A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.634{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.925{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50785-false10.0.1.12-8000- 354300x80000000000000001446501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.795{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-50369-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.169{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9599C71B8727CFB37F334413D76239EB,SHA256=6A9C9FAC65AD38AB050AFD60D76E23482FD210D0E87BD41C5DABA52A479378AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:49.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D143A1E27EE8F5D6D81CF8F18821F0C,SHA256=135CB6B9513673CEF3F62A59A5493896D127FAE9F4BAB71E0A3B09330B7F0F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:49.404{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C851D43C92FD28D1DBDB6C5F6FF264E,SHA256=B6D61FDD9E381A9AD17A36C5844A889874E58DE3A6A23B2B5F567E704C267DBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:47.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27966-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.915{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-15715-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.805{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-55077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:49.279{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B098B89CC3F771926A8EA8A242766A64,SHA256=1B6D29C71887C3896B6E25C317A568CE32FDA6CFC9FA6793BC4C772BBE43E0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:48.347{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:50.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB08067A3A8C6B03AC7832F50914EFC9,SHA256=415F451BBAAF994309EE0A8DF473493ED83F90AE0DD03B76389ED7C03E19E2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:50.435{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A93D6A2687CAF59BC84BEC529E97477,SHA256=203D83BCAF7E2293C1D470E51183E864B9F4C33E117C50C4A39AA689534F3DD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.054{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:47.883{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59691-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:50.404{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50448F6FDC7ABDF6F3BF9735BCCA1262,SHA256=1166A2D4CA52B6B7C6AADEB81946922AFED365205351F2C0A15DD73476D0714D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:51.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C53901F658A09CE729C7312332A737,SHA256=EA11359E6C8C3BA2E9B4A6F96C978E5051F0F5F3E3FC8E96E62A47165C4EEE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA6E9EB6D80A17658F39BC0B3C73A1C,SHA256=FE7DC899AC5A2486385D1EDD2D52B313F7E348A29DF136F3AC7BE15FBB48E2BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.836{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.466{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CBAD66639EF0D8C97628A6A96E4F4B,SHA256=A61D6B183E57E9400A74CF7CE0A4EE19C08382A89797F7DCC3F9FD3FB966380D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:52.888{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC82F4389AFF56E4B1EAEE07B0D02631,SHA256=2F9591000B12603F322D1039EA30A98183AE0D74FD4EBD0C7E4B16E529CA3BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:52.888{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=241E123D780A5BA8967CE83B468B61DA,SHA256=9EBEC37C2349ED5E8FCFBE66DB5202BF545F90EDE4A9734C3B34864F8CB85256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:52.825{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571C370A1795CD6C4943314C89070186,SHA256=346B5FB5110AD62E00133C66AFB33E3FB8929E2BC507CD6A9C067E041E5CB179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.529{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BFEFBB54359174E772E1B0C818785CB,SHA256=A919ED0CC1A104120E8886888E53307A29D9F4906820EB9038D08CC839A80921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.498{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5BAB85798A9A57F740D75122842C0B,SHA256=E662CAE1E3876503E1AFA49A5FFD82CA93F38A4DE87A7B314736CCC058E40A49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:50.321{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40048-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:50.101{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10335-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:49.929{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:49.210{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-31969-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.992{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:53.981{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADFA8428B80B5B737D4AC919C162B9F,SHA256=6259846D3F09289278926D73B9BFDCE864449EDC4E4BDC87D915C2883BF40F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.685{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070123BBFED5BD8CCEC32D4128A25E2F,SHA256=868E1F23A559D5E10A8A7997859408FC9ED77135C6AE6D4B4EFE213157B8CF48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.893{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50786-false10.0.1.12-8000- 354300x80000000000000001446527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.525{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48717-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.180{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14957-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.055{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.498{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB9B4C96946EE152F9519E49F37BEAF,SHA256=141839A69423E305684901707FF306847F686732975FAEBC31DD4E325E26BDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:53.966{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC82F4389AFF56E4B1EAEE07B0D02631,SHA256=2F9591000B12603F322D1039EA30A98183AE0D74FD4EBD0C7E4B16E529CA3BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.795{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEBFD3F8E893CB4E470438B687958CEA,SHA256=7748DBE79423C790CD05285C13590391E41A0C301FDB574F062CFC3DB1234F44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.270{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19541-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.232{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-56077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.513{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC59ECE04A45D206985BE848D5D8B761,SHA256=456225B57EDEAA8F6E1BD78F9BB8FB9345450BF30ABC2B8BB11158828E5AB6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:54.062{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-082MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:51.112{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:51.073{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1207-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:55.888{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1167347891B0E73783D518B1777CD9D1,SHA256=3578AD90D66C6CCFD40EDCE1610284D37655FE3912DFBC7B8D66C930EE688B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.766{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6562-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.522{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.383{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-24393-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.680{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-56951-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:55.545{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF58DE76E4325B2BBE52DC9A788CF148,SHA256=92B76A753EA6AA99AE14F3C07621455349D794B7FF9BCC17C4A8050324C02EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:55.136{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=949F969C153DA508AD446E80012C2F01,SHA256=A8AC4AB8E8F497092C4265DC6497E6700537C2BB3DB0C54C3B7002CB829F0BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:55.076{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-083MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:52.227{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5907-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:54.997{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8782E6939BFE855C10326C3C646DEC3D,SHA256=F53657017FD9AF0AC643FE780948376CE008D92447FB8593822F4EB19BC81783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.982{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F392E830C8D55210495372436B5EAF2,SHA256=AD77FCDD9F08417805C12E69DD56A6117A6BA64B1BE77D01278F468ECA23B49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C6CAA510349482C3FB442673D30989,SHA256=3A3D9B7A872B05C1D3A8F31B058ED3A258561F4FCCB02DE024F974384875DB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:56.217{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66D9136C71CDAADF2435849EFAD6C7FC,SHA256=BCEE64431C8900D809F990E810763A19F50E43CCD0EC1524B9FE16B9EC84415E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:53.550{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:53.308{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-10698-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:55.998{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3B7FBF416FA7F0150434A8D9EC3208,SHA256=486CF0698E40027E4345CCB44618FD50F052C2A4F4EF3131D7526BDA3A9CB6D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.917{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-14835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.649{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11944-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.492{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.044{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:55.759{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-18997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:55.586{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-33976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B84EB654F8A100F2F2774EC0EFDBFE,SHA256=79F42CE8BF6539DC2BD6D2F24E17F0ADF6CF1B7ECF8A1DB95F6D7889450FAA2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB1-6154-2903-00000000FE01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2CB1-6154-2903-00000000FE01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB1-6154-2903-00000000FE01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.624{5EBD8912-2CB1-6154-2903-00000000FE01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.311{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E14AC248985B41ADE8985AAD7361747,SHA256=936649BD0C3D2D35C365D31F8DF4CAC5A95FC616FC3BD0F916695D27AAC49D66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:54.475{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-15654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:56.998{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243FD6C9199F8E2AC5067DFC5EF5BBB6,SHA256=F8DCCD9910641A5BA191DD44800C5747D26D1AF875E1CF46A2C40915DE851502,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.837{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25461-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.680{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-38732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:58.639{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C9E8BCB65A0BA821961E16FC257A8A,SHA256=CA1C8442DA5CD95E4E0CF0B2D6DCF5D72EDD0AF29DA91E947CBD37B5B5AA870A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.967{5EBD8912-2CB2-6154-2B03-00000000FE01}35443988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB2-6154-2B03-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2CB2-6154-2B03-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB2-6154-2B03-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.796{5EBD8912-2CB2-6154-2B03-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.373{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9FFD573F352FB1388C76F1599B15A50,SHA256=FFDE8878DC3F330EF6324F47EF2AB6D1107FD33863F389C8EE26FEA98BDB5071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB2-6154-2A03-00000000FE01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2CB2-6154-2A03-00000000FE01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB2-6154-2A03-00000000FE01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.296{5EBD8912-2CB2-6154-2A03-00000000FE01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:55.556{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-20348-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.998{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048328865F59D1B6C03F42E8AD1B28A9,SHA256=654CE49E8C99C5F84E97A38B03ADC4A5A74FDB0899BD17AC6699238310DDF99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:58.060{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E34B8AF01601D8133571082BFB66148,SHA256=A0B1251860817EDEEE522758D1F23D29DD1F4312830231203A1C107DE06CCF94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.878{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50787-false10.0.1.12-8000- 354300x80000000000000001446556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.758{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-43201-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.134{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-31391-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.670{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749CF3E54A99F8374544E0AC8E48A6F8,SHA256=9800E233902DCCCB2053DF6C42CBD3058E27ECADC0C8F689D66D3F7A6FFBAE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.498{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=687583B48122A8F9B049645C4DDE6742,SHA256=5D62B447CE1A0355026D74B28D2B1E302CB0D3604F3CC3F2BA18729D5B29CFAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:56.650{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-25086-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.061{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844EF7320217D5378ED5EB189881C90,SHA256=8DBBC874A2069E3AF7F8E069AEAA4B72745611AFEC48BC1C09923C071ED223B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E45853650C885EF333360739A706A4F,SHA256=5C3194802E777AD3B93F3B7943AF0D4C6F2E05B65E0694059561F3D0EE13611B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.098{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-39300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:58.850{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-48051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:58.212{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-39448-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.977{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32431-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:00.701{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AE381A7C4EAAC660052372039B055E,SHA256=CF719D11A1C62CAE5CCA002D16F86C411B3EA0CEF9329345814A5EE24F6643BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:00.639{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=368A94840F24AD9672EDB86BD34EBF9E,SHA256=9A436DB828169F1C39319E4B528B98630AFD37D184389681249B320725A8E8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:00.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CA6719CFC9578B77D496845D137EE0,SHA256=1639F5F6E4E8E453FDE758EFB383FB868C9EC150637DAF03BA58F282826F12EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:00.279{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=962F6C5D83153C1AE6CFFFEF6C359867,SHA256=9AA75A517842F67EAA8502E56BAB4AEDF8FB4AFA0E6F81A3C46D88F092201747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.717{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF1C15F4F5A322286F59FCF44D2D3C8,SHA256=D1135B41D58CEAEB69296B3F9BBAECB292F0B17664AB333018B6D1F5773DFCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.826{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=965070C9E7D707D8AF016AFCAC85D1FF,SHA256=4AFF9F69539062F24748B9F783F5D7C074763A2DF281197BCBC6F168C9F0403F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.811{5EBD8912-2CB5-6154-2C03-00000000FE01}31644696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB5-6154-2C03-00000000FE01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CB5-6154-2C03-00000000FE01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB5-6154-2C03-00000000FE01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.515{5EBD8912-2CB5-6154-2C03-00000000FE01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.867{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.752{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29831-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01578DC91202595C3858A652D4AE231A,SHA256=78657A78E0A8EAD5C0E8089B97346B88595DD7D343DACBAB5F86F0222D1C18B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.976{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52774-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.414{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3EC51F82ADB6E98D909DAE8316D965C,SHA256=552784B794B5A2398E428E34FE5B82785C66587AD6BDB3CF5B5434D85526FF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:02.748{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2257E40E279C14E6387FE3B4829DF0,SHA256=4EB1EDF6566890C9002515E7F5D31F2B8E08723FD77C8BE12CC1F122C65EA2F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB6-6154-2E03-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CB6-6154-2E03-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB6-6154-2E03-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.968{5EBD8912-2CB6-6154-2E03-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.921{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22AFB6412E550254D475E7146A2FB6F3,SHA256=5E987052D09C08280FC02F21F23D0AF02E38DADB5B5700BA4D056CEFE3ED972E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.483{5EBD8912-2CB6-6154-2D03-00000000FE01}8603260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB6-6154-2D03-00000000FE01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CB6-6154-2D03-00000000FE01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB6-6154-2D03-00000000FE01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.297{5EBD8912-2CB6-6154-2D03-00000000FE01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.978{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39348-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.489{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.349{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65142-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001541503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.349{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65142-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001541502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E7D18E5A952A0A24277E3F3F32129C,SHA256=F8B6A42E391423B990B8510435B6032FB0F3ACB3632970F5C7ED260B7EFC4435,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:00.370{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-46806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:02.436{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F21069D5DC41162A52DCFC968DC6A96,SHA256=DD2D61C5880D40DFA816212BC53640A82EBF289AD535A3A24DC9F66E1A9B30E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:02.133{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3022-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.649{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6009-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.446{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53613-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.054{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-57392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:00.543{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-56820-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.764{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CBC23569FF10D37F3113BBD6D189AB,SHA256=DDA986CF398474D5B665C81D2B69800D7A7A0761F4BFA460D3AA0FE12F1AA628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:03.967{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF54E70FA82753DD985D197C18ABDED,SHA256=9DCCBD34EA1352126967D2EEF7E29720C27F8E68DBE075C7AC35BFC974148928,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.168{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44424-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001541526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:03.139{5EBD8912-2CB6-6154-2E03-00000000FE01}58242520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:03.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B884444B6000DAA27175D7E0C78C5BA6,SHA256=4A5C28FD4F2379D1B809E8726C07184A8D56EF660384AE306EBF9DC50117C2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.514{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2093F918F4989D212DA7456D494C9DAC,SHA256=3D5596405AF85DCD0730AB63099285915FBA127120BAC3E28CC4BACA7BAB34AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.951{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=621B6AFAC0136D3F5E4E06A1EFD85FD4,SHA256=4443B1B9A0FB69E2CC29620BE1C4F7969B8FB4363E7A4547960927E5BEEC008A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.780{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F235BBCF695F08AA7DC9F438DCC40E00,SHA256=F038E4AD3FD60E882488A41C6F3E44F7A6937A36F616DBC4D91D9BAABC55CD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB8-6154-2F03-00000000FE01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CB8-6154-2F03-00000000FE01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB8-6154-2F03-00000000FE01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.624{5EBD8912-2CB8-6154-2F03-00000000FE01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.092{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57CA8BCD7540EBDA60D0474F7D4EE85,SHA256=BCAEC707353CC7E3DDDF021732D841607C883EC32BD16A95B5C15260B6D13F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.795{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8662571E52849402E33D8388D239983C,SHA256=942AA423890CBA7F8473693CCD5AEA9E5D730566D354E2EF60D02568C7C3E45D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.274{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48938-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:05.248{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=168725616A372ADF4A4455E101A81E35,SHA256=0674A9D5C25E8613F3B27C5DBCAABEEC0FA643AF4B8D2515340180F31D45B8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:05.108{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08413DC59A62122B751C06CB4988FAD,SHA256=A45D6BD3B6FC009C16307A3E9B7C6502F81CDE010399901E999497B5BFBDF9D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.413{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-8429-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.368{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-8259-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.335{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-8088-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.309{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-8016-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.274{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.251{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7759-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.213{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7644-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:02.759{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-14481-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:02.572{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1755ms-streamingfalse10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:06.391{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2641B4D44EF14DB891127A24A0FD8FD,SHA256=513F056AEA55DC2544D81B2A32EAA9689BB50B7CC94A8BC0990382233390FCBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:03.412{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53578-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:06.126{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9D0D71DBB51469F36345417401E351,SHA256=1F8602ACB278821EA15A2735B38C91152494FDA4C69206D07F2A3BC2BA27686B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.548{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13914-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.520{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.510{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.483{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26419-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.472{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13547-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.461{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26305-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.448{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13405-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.438{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26204-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.425{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13299-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.415{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25972-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.403{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13111-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.379{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.365{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12711-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.342{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25563-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.339{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12477-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.318{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25302-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.313{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.283{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.276{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.260{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24980-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.242{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12157-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.235{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24784-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.218{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11975-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.211{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.188{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24341-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.181{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11785-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.151{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24199-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.143{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.128{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23978-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.120{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.097{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11347-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.089{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.075{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11157-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.066{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.048{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.043{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23609-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.025{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.020{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.002{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.985{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23201-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.979{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.958{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10422-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.949{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22988-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.926{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.923{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.903{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22601-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.900{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.880{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.862{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9881-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.839{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9690-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.816{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.793{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.755{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9178-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.733{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9027-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.721{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50788-false10.0.1.12-8000- 354300x80000000000000001446594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.710{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8802-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.672{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.649{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.453{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-8546-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:06.030{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35B0141B779D0C900D35AEA32FC05375,SHA256=7E3966975D01854DF511E2FC1B55335DD91E87BA94D0DDFF8950E317615A0741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:07.516{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F075718B130FAECD52363CD481094C5,SHA256=35E6CC42126CF9CB667D2705C5ECAA33D5726B9C8783217EC20970C8F304C1E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.619{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58715-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.552{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:07.126{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9773A7AEEF6D927A01BE8C074A98BE28,SHA256=1FB3C020E96CFA554C4B6FD65D9F5A7E0A3EF9043ADA524CD967F630D1997C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:07.327{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B6B38E3EE0CBB13BD593FDBFA42B79,SHA256=461E5B2BAE0D637F6B248DD45B6386BFB4756ABF758D8274702E1ED891E9FFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:07.327{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E9412D2BBE4339209FD66EF3B7BE026,SHA256=4F0783C36018B4705068408F66120541C474F6EB45F27E7C4BC2DA3FCB25B1C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.280{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16504-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.245{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16411-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.223{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16314-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.200{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.128{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15785-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.090{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15582-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.053{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15499-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.030{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15386-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.007{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.983{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15161-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.960{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15016-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.923{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14892-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.901{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.878{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.844{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.806{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.768{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.745{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13999-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.709{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13825-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.671{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.648{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13639-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:08.186{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D95813A4A9B4C7B4F19C48413D077FB,SHA256=30FD2D0EEE36AE9ECBA8CC75C996088FB6430C62BA675A85F147CBFACCEDC98B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21341-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.548{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17614-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.520{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17486-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.493{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.464{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.424{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.387{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.364{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16927-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.338{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16735-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.303{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16631-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:08.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DDBBE1AB15E9CECD20C868C3F510CA,SHA256=08430B130BFFEE1E38A05BDA080D8C2155E9C0EB0BC59DA39824B4E616DC73BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:08.673{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1AB411D8E7D654EEAE10A011F93ECCF,SHA256=34D8C4AA03705CC598A6AB0DCDDBE32CEE40E650C720C69F5F42859D0D13C76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:08.188{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1907B7B8932D4980574FCAABC8D2201,SHA256=490F28C33B3817F49A6E50CEE4919D40D09594F06435B7AE6EA78AF683044DC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:05.746{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:09.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B249D9C2CAB32F3D27CB43BD7274B93,SHA256=7870C22C66E1A51BC776FC23B04DF152F60B05CAB5072F973628D7329A0F184D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:09.219{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0C2152AA9B5196CC790A9BB800B65B,SHA256=E06F5F39C8829BB2510C273BF91C5D72D8A016DD511D03588D60A6818396AF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:09.264{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A8EFFE4CC9E782B9C1037ADFB4468F2,SHA256=01EC8B6DBD40838313EF8FC9847D92626E853EE33A0A953455424B2B44728E7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:06.805{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28294-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:09.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7F1B6BDA50F5BFD98FB47B664D9EA0,SHA256=C802FF9BE28CEC02E4EC65A5B868FA2D9BDF4FB2DB8773C8CC29869DB1FCEA6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:10.358{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4434992232EB50685FEC2F50BAF26898,SHA256=B1A7988B84926CED7608AD7BD3D852D27D44BD9796BB6D327510DFC67F77B89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:10.155{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76D9EA345C241A1BAD4CD0255266E85,SHA256=7EA19FA1535E7209D55E6CDF2F4778A61D2878FA8914A5BF82015AE7061D9658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.954{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58664C0B9307B92A37EA5C55E625F57E,SHA256=415BE09422B89F1367741C4DAB0C857417F16148CCD2F8912102B1B1C6D416C6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:07:10.704{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001541556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:07:10.688{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001541555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:07:10.688{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 354300x80000000000000001541554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:06.925{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.219{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E2A09EBD45EEA43A46A8A6C2A41DBC,SHA256=83FE8A86430E0B93F38DC8DF0589969AC97EDAF9CCA1568D3A548AA356FA403E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:11.483{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B48F3868AA4617BEA66D868F97FF3A61,SHA256=BD9883720F41F0F27BE7085AE28EE3021087ED1704BBE6BF1A65A3BE5E024BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:11.217{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D982063CBED5745D60889CB67A04999,SHA256=DEA42CF79D6277C0F96CA35B510CCC49C773BB8311E350551C69D6BAF97A47BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.028{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65146-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001541564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.028{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65146-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001541563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.009{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65145-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001541562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.009{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65145-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001541561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:09.089{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-18891-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:08.011{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14161-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:11.266{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9505E119383183FDCBBC60B1EFAA05,SHA256=ED3C73A6F0EB2C9FB7C6E75229C9464CDFD7DE0100488E7BA913B875ADB84424,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:08.961{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:08.940{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50789-false10.0.1.12-8000- 354300x80000000000000001446690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:07.883{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34925-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.038{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65147-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001541568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.038{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65147-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001541567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:12.282{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780EC62E7F1546AAB230C1605CAE08F5,SHA256=83F79F59ABB0E5D2518D0198C96933F5AA2667507B877F71D545B75020E28E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:12.577{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DFB20012A889C8CC523D7018217925A,SHA256=7309E8E8FBDC7BEDE16465428E17254E1CC7189235726CDF13C142015674DDC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:12.296{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8BC499C22CC7A4F18A35D953C54041,SHA256=0D6159B00D792B7093D03839588130A1BDF36C0C7315B1780CE25CE2F4C4FA9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:10.069{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:12.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0EB3112BC7AB60D437972FAE748CA9,SHA256=B90B2E46CA8CA4588307399E1AA728E229E0288E5DD733A8FA768A270CE15957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:13.655{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34DBD505E4D419B0576FDEE9BEC31A6B,SHA256=895CBE11EBB73EEE3F43D9FAE72919695826A4D0D0776AAA0DF0BA0BD7F156FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:13.327{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781F60B3218347F731D554CA308AFBA9,SHA256=117201AC646581C54D0F5EC2D24FADA3240FFD08668AD0A2E699727CA2970096,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:11.401{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28624-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.399{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:10.308{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24053-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:13.282{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B92B3BE4524D641D4AB5FA6BE4CDEA,SHA256=4E993F27441D12E25D2CA11171F6111B56000EE30FE9E97906B7C0810F2CC440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:13.173{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDBB08EA05875D4F26C17948752C2BA1,SHA256=0EC6A605F377C2868560532F131672E3AFD16C86C74BC300F1D02FC48637943F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:11.181{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-55520-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:12.512{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-33129-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:14.313{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DE9D06EE19E19F1709BEB5964CBD12,SHA256=63D232EAB4F2870D823BB058888A2F4CF070EEB582DA5CB751B60F04D0AFFD58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:14.936{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18BA943C7E0761F0632376FADCA6CCBD,SHA256=D613B2DC76CF803846FB8E458B72B08C448296B2759461E5855ED9AC63FBF231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:14.905{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D0BFF8D0A5B4DE7A9BE37D251968C466,SHA256=BAE02CF677F571F7CBEAC5EEDED91F8A3D2C2006B4F11900797E7DF628CC0DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:14.358{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947D5A332BE7D21C21D5F1FC9873B505,SHA256=040F69EC4454EF666EEC65BD445AACAA07B00EE68FFD3DBC4DC3587A4A9B8136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:14.251{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0F893E995197CC434D39AF5360CAFB8,SHA256=E6347A53CF2709FFF6E4C09D96153C9F0632E6918923741D3BA375539A09EC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:15.391{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47DAAC9649A3D889A6EAEB75389A454,SHA256=8EE4A4EFD378DCE6B7C7F417A6C48D5EF75573125C7330D8A2CC9057F82A2782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:15.389{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAC61B5709910AF9913506C92B308C9,SHA256=7E58EFA77971A7962FC7CCCF398DEEA17E4EA6971BC7D8EE420FDC8C42C4C3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:15.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E144F7C0C951660238CE294201AA9020,SHA256=CD04BF1B794844E1896DC12B933D021B4ADECB0E90D4E0B8D6DF091755AB453C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:13.414{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10571-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:13.389{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10315-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:13.352{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10174-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:12.273{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3440-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:13.606{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-37652-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:16.485{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0849033C58DF90A99D5C36E87DD6432C,SHA256=C219D7145FC5DF2DBD3F04A04B95A2B208A6BAC0EE51DBA8E6838D06DF28DFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:16.405{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7805B6B733C9DF599322D473EAA603F,SHA256=EC95628E39862F3A64CF09306FE593A914BBDAC194CD6CB087FB14DEB67D3937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:16.454{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC257F4939510042ED1CE3D7A3049D8D,SHA256=600A41FE980A447BFF62D6DF5442D46D11276EF5D1F028CE8616DAE9F18A92D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:14.690{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50790-false10.0.1.12-8000- 354300x80000000000000001446713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:14.633{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-17978-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:13.474{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10858-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:13.437{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10723-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:16.202{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:15.999{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18943ECB69D16F65BC00DB590BCDC041,SHA256=285B0A0CD0A77DB84C91047F235E5193903B48A4A61EC050BF0C556DB61F0931,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:14.715{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-42317-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:17.532{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2015D19131C8418CF2ED2DEB75BAFAAE,SHA256=87D7D7EABF612A8FBEFC49E77735BC8C237B8D29D6EB7AC1D2D6EFE96814CFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:17.485{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4274C5FA827F65528F5ADA42469B36EB,SHA256=B5047DF89D8B005301764566037951FA2E10ACCBB6254ED6EEB13BBDA792E23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:15.729{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24558-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:17.421{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735CB3FCAFCFA29A0FACD8FE22F5AF69,SHA256=6EC28844F001699DEC474729C1365240236DF4231C71D31E8DC6F97265CE332B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:17.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53550D5DC2A68BF6D51CFEB60572BF1,SHA256=41B41C6CA20D48BC12D68A0A8F36C55E8A61CB08B4BB893182586582E35E0565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:18.782{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D5A9AA9F9084CDA828F0ED5E3893853,SHA256=CDD2CBF17294CC66A2FA1A5E9AADD9FF147E7987C02AE614B1DB2CF0E82F56A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:15.793{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-46947-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:15.445{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:18.485{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35046F4B97E18A5DF734517933A04812,SHA256=20CC2ED313118AD73BF6C6C81ABFC9ED5968E1635832AFB0A342F0398CEA6379,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:16.851{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31629-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:15.862{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50791-false10.0.1.12-8089- 354300x80000000000000001446721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:15.751{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:18.452{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB8C0865FF46A71FDC4739F8FC9ACA8,SHA256=DA6D131758C1A0BEB1FA8EA6B1DECFDA45D080250FE7A7F3A978A990D942FB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:18.265{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D59FDC0268B1364C1E34C038421B2090,SHA256=00460530BEE1D84658A77636A3AA95D9ECCD892C76A83B4FE953F323AF6613EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:19.860{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DCBCAC8A2D88F402E614B20C8B21289,SHA256=1B3B28EA7CA6040C86CB7CE009EF17C42DF4E481B4E9BFA47BBE97A28CB092F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:17.001{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51640-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:16.925{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.147.165static.165.147.203.116.clients.your-server.de62544-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:19.485{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B6B0021A50C74E2654CC99880B83F0,SHA256=D9036BAA11022C409E5B15814C35278AD70FCE0F50DD53341AE36E1897F569BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:17.961{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-38623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:19.452{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39A81FFA15FF8921F8E4C86D5A9596B,SHA256=1BA43EC6FA15BEFD01EA209E0A84B85161FB1E7507D460D573F6D5E466575F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:20.938{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA5269C1B8C71784F69809F1D927E84D,SHA256=9FA1C7EAB617BB7B297ABE4C28A5A96409D34D75454DDF316F68F0770ABC6949,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:18.121{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-56633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:20.579{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53FEACEDF423C55404A5916B1A62D11,SHA256=2EC6660D4CD19B8A1556462112D5F0E9B626D0E7A6634F47193C70C1E4C1558B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:20.468{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D2D169C8AB23C46F213E5E9F62A186,SHA256=8E4F235477529FE97C7C4C5FA431323C9F6B7AB1048C6D7B815B01191B02FF3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:19.199{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-2370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:21.641{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB2FB5A0625F5A6F9FE025EC59E92AD,SHA256=30B665391DA71B78727702A1F2CEB481076ABCE667416B9743F9C762E26B9EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:21.483{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005554F23BC1F239533C8E4292C7A6D0,SHA256=B3E8B57960DE9E6EC77E7B8F4C76673FA5A90CFCC43C2AA71DACB985669D031C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:22.515{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DE14340DEC2EF80AADABEFA0603611,SHA256=2959B9DB68BF5D4D5AE94A9F50FA1C37528A25733B43269FAF8EEB6D180268F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:20.278{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6812-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:22.720{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED349B655993BAD579B12D6551A7C87,SHA256=1260C8B916C05172ACC3BFFAA3FD6BBBB196DB134BA5ED638B432E380E3CACCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:22.016{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A5CD368C3A47688D3A88E4080C94DC7,SHA256=8C922A86E4EC3CB87F273F31740DB163323378984C22A228A1201CE8AA116548,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:19.925{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50792-false10.0.1.12-8000- 354300x80000000000000001541605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:21.367{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:21.357{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-11506-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:23.720{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE10AA6DA66F6D68CDE1ACE9098961A,SHA256=15A0BDE498A99ADB38B1BA76B21A204D0F9BBF258B71DCBEF6059E1529F3D7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:23.531{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A7B36EE09196106DD4038224E5B4B9,SHA256=327EFAC0C956B76963C0118BCF0DC8622538EC61D20B705024B8842E08B8E720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:23.110{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09D635A6165FCCF67C279F7BAF42168,SHA256=2878E72666A2DC1D14B076BA3AE5E346BF21DAD8AA41B19C21B44439693197F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:22.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-16128-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:24.735{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F688C66568AB5AB374AE4BC3B4C0F37,SHA256=4B3BB4E8ABCBF76DEBEABAE57E2C9BDA9C05A4B1D497795E1B5EAD6B3BD526B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:24.662{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-083MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:24.534{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC63EC2004B84A13698C291F5B85F135,SHA256=C4ED1DD1AAE87A8C400B12B2325BF98378E61E45400A612E793B9CFEF040C3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:24.220{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=907A2D61459F787D25478C174A5ABC72,SHA256=64E4D4350DAE3C9EDCC80CE238B02DB7D4523D6E19F154476D5C33260D7C1684,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:23.644{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-21131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:23.607{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-37324-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:23.582{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-37217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:25.787{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3914B57CB3D08835F57AC3C0973DE9BC,SHA256=CFC62668782CE8D0904EAE21DFD4D6A3EC7884151A6FE9307CCA2B604B48DACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:25.661{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-084MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:25.535{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC119155D5164A404A35CF5C9B16AFAA,SHA256=A51DD08C9705C092B5A43D4EEB2175570F5FBEF5D7F0D8ECF179EB9FE3D5FFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:25.345{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E4D7C4A8FC5B264F025D1781E9B3F65,SHA256=14A88B9362665CC142C3B58715B2F6CE4AF72B38EC3A187F5D9763A94293E8CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:24.746{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-25902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:24.684{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41871-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:26.787{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C780524BD2D83AA6B8EF9F2B911A5033,SHA256=1DD13F324718295ACD3BAAA5D1AB9DF23F8EF945BC04354CBD7E14DF5799A392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:26.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8916208F1163D57269D22A39C2F6EBBE,SHA256=DD19F0FCF54D15F4C64C51DC22B50EC646A9DD6DFF8158EF7AA75522E8FC2ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:26.428{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A9A2EFE3CA34EB3ADBF01A4A867C090,SHA256=CCE15A880AD731BC9CB067475CE4431D210EE6B1DC79248CC4B424BECEAE00B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.567{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096259B8557DAFDB99CC34F8C1FE2026,SHA256=CF6AC80D1235D3D4F50FE5AC6A212A43B3FFA011B342F4FB8E27DB63DB114C2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:25.860{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30821-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:25.766{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:27.506{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3AFC14D1F403E8416D86C1FA4A672AC,SHA256=878C5246836DDA7D261824D24A5B8471031E3BD41F9DD0B206D8744DF596B4C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CCF-6154-F102-00000000FE01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2CCF-6154-F102-00000000FE01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CCF-6154-F102-00000000FE01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:27.427{69CF5F33-2CCF-6154-F102-00000000FE01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.583{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C181C2AEC177B390D5CB728CB92B44,SHA256=0729A9E86D3EEE74ED2BD9E3151E03A90C2D2B5471D63A0845312B4E6F2BA500,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:26.845{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-51215-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:28.584{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09D2180D9190CEA6136B1DDD81C79F48,SHA256=77C0CE748E79DC4451B1EA921A060B3A1DF15278A0AC3BA3F9A71832117B5314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:28.006{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E56305DEF0CB032A8DB1E5F00E185ED,SHA256=7A5C226EA4E430CC711AF0188AD9F460D8C0597EE8E4A4CC32D6DC534AF7E527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A05A45472C2E12D668107F980D3B6ED,SHA256=E0BEFF23F459D40D56B6E1F04F454126EA2936EFF9D568AACAB522B8B7D906CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A921DA6572675ABF2224FCAE5A993A,SHA256=AD636C473158A5C2E009A45E49C817BD4B9BD219C9A6DF5F7C5813286C29278C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.489{69CF5F33-2CD0-6154-F202-00000000FE01}40163300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CD0-6154-F202-00000000FE01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2CD0-6154-F202-00000000FE01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.286{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CD0-6154-F202-00000000FE01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:28.287{69CF5F33-2CD0-6154-F202-00000000FE01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:25.883{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50793-false10.0.1.12-8000- 10341000x80000000000000001446791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CD1-6154-F302-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2CD1-6154-F302-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.708{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CD1-6154-F302-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.709{69CF5F33-2CD1-6154-F302-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:29.599{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92ECC2FB6C8C73BD63648067AD1D9A5A,SHA256=40A3621A8BC1080DE4E3B47A90642627A476295F42D0549E47E6E9536CEE569E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:27.923{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-55942-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:27.372{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:27.017{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-35330-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:29.662{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=442B002852A2122450F4F5C72D803BCF,SHA256=7C112F3226CCAF8D9901688FB1AE639B9D5FB0BE821A520BA6AB46CC8B400F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:29.006{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36620B920A2F8AD1A9FB196B7985C88,SHA256=A7D42103B67EC157D2854138BDD15CC56C9CF77736185BF85D553E882BF81926,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001446777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001446776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004f0bf6) 13241300x80000000000000001446775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b509-0x0b782580) 13241300x80000000000000001446774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b511-0x6d3c8d80) 13241300x80000000000000001446773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0xcf00f580) 13241300x80000000000000001446772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001446771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004f0bf6) 13241300x80000000000000001446770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b509-0x0b782580) 13241300x80000000000000001446769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b511-0x6d3c8d80) 13241300x80000000000000001446768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:07:29.020{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0xcf00f580) 23542300x80000000000000001446793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:30.724{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A05A45472C2E12D668107F980D3B6ED,SHA256=E0BEFF23F459D40D56B6E1F04F454126EA2936EFF9D568AACAB522B8B7D906CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:30.614{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5C339AFE5F5DB42C9870473C2B5FDD,SHA256=A42837E2637534266F5C4F5AD3D9A0F07B449D4CC5B01469910AAD5DFAFD8497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:30.756{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8FE478FAB8A73F470F078EF6D936E47,SHA256=6B119294D7EACC60C581EC02D62D0816AEE67C5EA84A311C21282B0F49E18CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:30.021{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87487C1337458A464787526332314411,SHA256=6BF63F0409D3B89CB2AD39195DC903B0732FFF8F850221A648E73CAB52E755E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:31.646{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A078221A1592634F00F9DDD9E36DD309,SHA256=A9563AECA9F9AD8D32DA44B55114B78879B55B69502DDB445D6A0CED230930C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:31.943{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AAAAFC2607C04F742D20EFF99419B31,SHA256=145539E6DD913643B2C51152A0C1162CB0A39BD4B4074DD3107B093C93359631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:31.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCD4487D687D4FE23D4AC48523E5F88,SHA256=E031E4ED2339C7ED532F43816F75D9A857DBB376A93106A69D7E2CB9B27C92FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:28.110{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-40028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:32.693{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCFAF184A76AC2F6AD77A63739184D6,SHA256=1FA4BFD18F33687CBC7EC7BC844D0460FB501981799229EC89CDF44B02846F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:32.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EF38C603B9415E5CD5B0406A62CB0B,SHA256=524C84E5DAEB996AD4F16A832C516EB3245A6FB9144DFD9D4F40EEAECA743187,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:30.206{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6769-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:29.188{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44920-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:29.017{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-1599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:33.755{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69BCBC82C6ABDF902937DC5AEA1A050,SHA256=82C3008233357D85DB0395769513096B6464B9B9B202F58BDB74FE5D501178B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:33.803{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F358A09D6D719FCB6F832BC29979388D,SHA256=32B1D16AD612E7814C237BAFC8E3FFA316BEF002BFCAA6B9D990455CE884221D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:33.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5579015B8FBDA269E41E8AAF3B164C09,SHA256=823B666604665411895803D53A852272A414511BEA28B0973EA71FC8852B6C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:33.021{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E992D066E45E91D577326ADA761E4A2,SHA256=3BE00555BE59777685E9ADB1A44038C556DF5AE7BDCCFC090A23B0DE2679AAF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:30.268{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49690-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:34.771{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63525CAED6A0C952E74FB65E59389F09,SHA256=2808902BD6AC56F1C0246F2BCF8E7F5E4829D0EFCB79AA9D7F55A18918CC4A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:34.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDE4FCE47E36DB554111912E3A60EF9,SHA256=C682C991D9981A26C34A8BD804C3B448D73BDE836BC23460CED6CC1376C10B37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:31.820{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50794-false10.0.1.12-8000- 23542300x80000000000000001541643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:34.100{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E94D3BA84FF7114697DA64FF0760DE13,SHA256=698C729F838062D6A6A20093E86949C8536800355524A3DDB9AABBD89EC217B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:31.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:35.802{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D69111000CC0964946D8448A0CB665,SHA256=BBF33D7062B0B7B9D9436D2BBEF63D1B4C02F3F7DD012FB12DB5C9DBE62AD8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:35.287{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=900B1FDBE8BB7F5A945EE3D4C820BA85,SHA256=9E72EF48EF4D7BE05A7D060DA386E3FE854434E3D1F46FAEE01B2C5814943A83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:32.532{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58815-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:32.513{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:32.360{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:31.441{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-54197-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:35.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B95CCE83B5E60EE98D0C7DB7E05406,SHA256=0208B4FCC85FBCF0A179A974D8908C543281B5D5208673FF609F92C859B6EC38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:36.818{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7186335E0B20B884FB8C4A474E14D0C9,SHA256=E79AD4205715F240A20C4C5383DDC28B258B620C0F8D71AD4EE77CC19CFF6952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:36.412{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBC2DA2E5775AB0D53941B08072A94B1,SHA256=986BF49694B1A95C5F043CCEB0C7A44B0FB09AC688FC6B75532BCCED4DB824BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:33.611{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4617-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:33.440{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21035-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:36.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24E74EE10BFD538680015AB414F7423,SHA256=8AAFF4578D93AFA18A66F7910BCC88FF6D35D75E342F21F60AC99082E42F2F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:37.833{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092AAAD49F8E0FAA41A5C72FD1E66ABB,SHA256=3FF7E9DDF4F7B102E8B51A45235F59B5C0EAB53AB55CC094DBE8AFFB66A131F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:37.490{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79AA5983E5203567D57DFB8CBE9B1DA2,SHA256=BBEE5008B78BDC14073AFF16B1320137E051B496B43BB36E2FD069253371775B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:34.691{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:34.641{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-26056-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:37.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C64961DF9692987076F11CA8A3BE5C6,SHA256=67568E57CF53A5A5AB780F43CE3000C1A5C12D0EE0438E3640E628B664FFAECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:38.849{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4113D6C58E1F37486A850EFC5BB0396C,SHA256=2CC0CEF206CB637BE5D93CC7ADF4CBC12C8B212848C98BEE5FC3DA8D80A2F9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:38.568{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD510B8E2928F13ECED0BCCE9012145,SHA256=D6D45BE2633C4F8DE217F71D443A953DFB8C3A436B01F1138DC9FE93B9386B0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:35.231{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.202.72static.72.202.203.116.clients.your-server.de65285-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:38.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5535D0429C2C30D95BA94897B080A177,SHA256=4E4EA2F67F515582FE34F2541230EC149C1E3E234E4C46858D1E4914EA8AADC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:39.849{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C51B1AA922CC565E8BCB280438F59CD,SHA256=9A16743D5DEB9007709D42C021DAFBCB8BAB23CFEAEF144D7B3BC884D6CBD3B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.865{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001541667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.646{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44D6850CEBD1B1D19C820B5395F3E31B,SHA256=63F41A46E4D86DECC268B4DD620B302056617613C264C411824AB09E9C0EBD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A0233D5D6D4D670E3CCF247FB91609,SHA256=E9C5FCCCCE8773968F8CFB74B017888966CA43621FE9BF6B469F4F9A0E3AA6DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:37.711{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50795-false10.0.1.12-8000- 354300x80000000000000001541665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:36.953{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-18686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:36.829{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35776-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:35.783{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13771-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:35.752{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31048-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:40.865{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6852ABB278E1C8EDFF06D6099C3CC3A,SHA256=25EB43B262B9D010B642928598BCD725C22F3B5F0D9A3BF0CE75403A613EE364,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.080{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65154-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001541675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.080{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65154-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001541674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:38.987{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45245-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:40.725{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D7B63857D8CBD67F07331DA7CC9D12A,SHA256=091FEBEA967420051BEB38B7CC16E4BE93FF1985D65B35797B5ACB5105C199E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:40.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BFBCA6D4E2319DDDCED0449152F64DC,SHA256=EEDDD2764C7D231F9EA88F4ABAF02504506BA168AD4595C65AE3497AF230230C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:38.419{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:38.064{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-23501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:37.909{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40646-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:41.880{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012E68D2081538D300AA33AE93F4D8BF,SHA256=18206C9E11473F4FAD2471DB0FAA8C9D2E4EC4EB37AF7B47D44D749DC2BA52AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:41.850{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F69D06DCC2701FF2F5674BC7BD73C050,SHA256=F068A8F51F6D95534AF2A2D485530873CED3BF3334BBAF102AE5B802BF3511B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:41.162{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBB6E61DC77392CF95BAD049CC1B64B,SHA256=84DE65629BE58E0326D139804C6D568DDFD9AB07A9DBD5BE85A1EFD14AD631C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.233{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28279-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.188{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65156-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001541679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.188{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65156-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001541678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.089{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65155-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001541677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:39.089{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65155-false10.0.1.14win-dc-429.attackrange.local389ldap 23542300x80000000000000001446820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.881{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472C6A719B6688AB6508DF8A9ACE8733,SHA256=BD183B7152DD6DF3F7C9BCEA0E54AB3DCAB98B743821216F22EF0CB8A0A451F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:42.959{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D59D980BC88008B671CA5650196CBE6,SHA256=47F2080C38B6839CD3514AFD7E95065FE2B3293C4E53A1F51DF18B799A527CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:42.193{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEAB2F68EF18DDB15A86D8321023C2C,SHA256=6E8ADD001725544E5EDA211ED99DABF0BA249C493257CE1C37EFAAA8718FF1EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:40.077{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-50052-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001446819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CDE-6154-F402-00000000FE01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2CDE-6154-F402-00000000FE01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CDE-6154-F402-00000000FE01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.787{69CF5F33-2CDE-6154-F402-00000000FE01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001446851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CDF-6154-F602-00000000FE01}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2CDF-6154-F602-00000000FE01}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.974{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CDF-6154-F602-00000000FE01}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.975{69CF5F33-2CDF-6154-F602-00000000FE01}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.927{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FD8A847E37C008C616EB31E19A8173,SHA256=DC37DDF43B64481A977BD86111A1FBE3E5C677CE93B3F93E8C39B6319C40AA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:43.225{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FD1E03A2B89D627D854ACC2431B578,SHA256=8E9724A4417FAD9723CF98D1FC5F9F6FC49C4575BE69D34D3A1F0DA811A0EFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.787{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D2769D63DE1824F4198E788EC8C65A1,SHA256=10A785769B9613880003D0263853E0A71429AC4873EA98FBB1BE5561B57EDC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.787{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F421E8D5468A1A3C4AD310460B1720,SHA256=5DC6E6354AF31CE38FA2FC643F4C915A627A1AAE4FC69E4370F568258515D341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.490{69CF5F33-2CDF-6154-F502-00000000FE01}39002524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CDF-6154-F502-00000000FE01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2CDF-6154-F502-00000000FE01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.302{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CDF-6154-F502-00000000FE01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.303{69CF5F33-2CDF-6154-F502-00000000FE01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001446821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:43.037{69CF5F33-2CDE-6154-F402-00000000FE01}35882844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001541688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:41.218{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-55023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:40.363{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-33060-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:44.303{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74541474A919A7E4BB191735CAB6B9E,SHA256=D0082EFAA71759D7AAE005122581C6E370014DEE7062205096940E533B36A897,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CE0-6154-F702-00000000FE01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2CE0-6154-F702-00000000FE01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.646{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CE0-6154-F702-00000000FE01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.647{69CF5F33-2CE0-6154-F702-00000000FE01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:42.867{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50796-false10.0.1.12-8000- 10341000x80000000000000001446852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:44.177{69CF5F33-2CDF-6154-F602-00000000FE01}17763776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001541692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:42.302{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59762-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:41.473{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-37897-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:44.037{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6FA15800D7AA495E6A34E37DE552419,SHA256=6D3A880E1BBDAE59B68BAAD0516E273CC7D78F780CE3B3F6FC6DF02160AA98DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:45.334{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B074E78BE03D8DAAB356DD60B7FF5CA,SHA256=7115A5C408C1625054CBF1094C2CD7A754A3B6EA1032EE1438CF29D4F2DDD961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:45.302{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32D321580924F672B76C6892A47DBF1,SHA256=7FE9CB6609E802DEA3209621DA3F9C3CFA7E280F3C615FEB98D05EA9694BA4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:45.302{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D2769D63DE1824F4198E788EC8C65A1,SHA256=10A785769B9613880003D0263853E0A71429AC4873EA98FBB1BE5561B57EDC15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:42.581{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-42455-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:45.115{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E57164E06400CFD7067BA3A0476A915,SHA256=616C2CE9ED4D6E8EA74D48FD96FB9E552ACD081CD2837A510188A44101591459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:46.349{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4E1FBB45F1DE680C1AA72EA729918B,SHA256=54202420D7A4D5031509B25BA0AFF4878DA27B1C728A011FADAF25D7B05F0AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:46.334{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBD6AC37F86F4AA8784CD6E0A101E17,SHA256=A209F7849C1F5E0426F82DDC87FF5BAC8CF920A4FEAB2ABE5B5342BD1769AE3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:43.686{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-47049-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:43.559{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:43.377{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5485-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:46.192{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F903B2ECC634C3985FAB89A2D46357,SHA256=AA9DF2D772EF8D1039CF5B0DF7606E51A69E948FA091371FC1EE26D9504F5EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:46.083{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:47.364{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC15FDCF01311D6C14ECDD88675109C9,SHA256=DF9961B90DBE1CA881467460A620E66004DC89A6CE6A42725D9AD898ED105EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:47.349{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BAB574928B8FA31DD5CB114344EE2C,SHA256=26D8C684A8F4590BEFF7885B84644D7E1F82ACEA6C214934C98CD10D639F3C56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:44.454{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10195-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:47.271{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4973546E9A073CF0DA396D26D6E06BC9,SHA256=BD469B539E15E6E956317FDB6068AE431618A429E3D7894807F58A132C9A98B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:48.365{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D35D7437DBE878C352E7C9FCFA9990,SHA256=C229A68701897AC1B70079BFBF2A5C15D5AC76D5D385D8AFD053C35C1E731190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:48.505{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F55A72D24312FDA667EAC5AC7220350,SHA256=1F54B136BA428A49BFAAF4831F68FC77B309D95063D9680C4EF817AC92810CB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:46.056{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-56838-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:45.531{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15001-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:45.387{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001541707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:44.906{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51909-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:48.349{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDA167B0E35B9C1A5AC6A061BDCDC11E,SHA256=E09B663DECB66FEFC5103E24D67B42192EA7C17973D3D5E393A028C921741FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:49.505{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34BEB6FD0EF8D1FD66B5CCEC89A82FC,SHA256=1D1C3AC9F07E7772A5E29F3593D229B61D2F2958FC867D4B62482CFC194AC3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:49.381{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26076BB8E2225CC22EEF3F96932BF82E,SHA256=E671CFEF150E59D04E37C6B7F75B0536E2826FD12642A099E9912291F7C29639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:49.427{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=587E43AD5A16EAA0C2ED77109DC15892,SHA256=F7685CA7B2F49C1074DE917637A4955C782DFA6BCFAB828418D920A728D97C7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:46.610{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:50.646{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39433D2E08CAD49BBAC2322D917CB06C,SHA256=493DD3E2352388206FE2E105AAEF1BD8B74F09EAE3C89424252F7F6649FA64D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:48.867{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50797-false10.0.1.12-8000- 23542300x80000000000000001446873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:50.381{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3A793BF15A19DD25503351AD0C2762,SHA256=CAE24D411E651B17C30F4191924C3A7AB28D0A1C1717DB440265A13BBD48420D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:50.552{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01F9CE0FFDE01BB0254AA1E4FEB742C7,SHA256=D5574A5972958170A774EAD03C12DD942E051C954164A7EE7B80E6DBE452E3F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:47.189{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-2814-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:51.724{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F239BEA748D58EAB723899699FF5E76,SHA256=E7B3AE17863D0890570FFDADEF33BAFACEB10EC19C3BEEAF9751B323D093FE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:51.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5ECBAE4615E2F40600B67C87AEF227,SHA256=A76DF1C80F276444EABF511968782183A67A43B220A0B1A6DA096DF31F231C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:51.412{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3786F31BA3A6F39A2CFD8CCE994D48C,SHA256=408BED7E9D47EDB03DF4376E125A8DF3775176C7784CA4C8553E3BCCCFE53AF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:49.465{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:49.423{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-12323-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:48.779{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28992-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:48.269{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-7641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:47.688{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-24335-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:52.771{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=970B6475EFFE80F114A5A8949A315BAA,SHA256=65579149E7076A3E8BADC2C2C1833D6BC2C60FA12A1981F6EFF4893813FB251D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:52.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2F825B964C218E8F8AB2E4B6E5174C,SHA256=83D27F8B58CC760541423A2AC55FC4676C150B14C379F34B4AD54ADBB2F1457A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:52.522{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DDC53C98E62A70A1FF8600FFD9A264,SHA256=F4F93FDF39FAF841A9227D2295C384E43609ACB9A17DC4C14C9150EFF29C4539,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:49.892{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-33843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:53.896{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76E7AC7EC90FE2B4096F6A1E4D870246,SHA256=1E882F20005FF2F07F48DC74096CFC7779033D624038C0265745ADC5DC78BAA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:51.578{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-21111-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:51.032{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-38690-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:50.501{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-16612-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:53.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAA5B3F76873361473EB640D02AEA62,SHA256=BE73AFD90CA28D3ABE52002B523935E945480B502FBC258F18F95783228B6AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:53.553{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC6CD3E9E077A9C429B7607858FCA53,SHA256=2B23F8B76170131AFD5958062C64274AB9A864F7CF2E48091344D832FA7E88DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:54.989{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D44DBAC8F12CB40F529CA97C746F93F2,SHA256=2423659F4A89BB25E88E3076C066E955B998B32D7D2F4A80FC5D9EEF3C88B7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:54.880{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB38A14E8766860F04AC41C6487B30A,SHA256=E8E34DF07EF293D3A742862DFCA907A3B200BE862BF178C62D6C7ABBD0913AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:54.600{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75886BFB8926A4B51902EBE3BCEFB23D,SHA256=92BB4A8A7C2887EA207E1B4E9AA76DA0B4800B52A6126B2C170443D86649672E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:52.173{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-43594-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:55.615{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909A6DD7A3E003DB455B5CFEE8CD1CF4,SHA256=C648775923FB49B126A4E802C4E4DF9D277CDF2B22239908030DDC1EBAAD1453,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:53.773{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-36590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:53.736{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:53.733{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-36333-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:53.251{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-48372-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:52.657{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-25964-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:55.604{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-083MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:56.631{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADDDD89FE2A3910DC99E21C0768BB2C,SHA256=3FD2E5E9E332D53A12B18F8612561EF7776373C9C6C9A290A50040B03D1A1D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:54.878{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44197-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:54.816{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34895-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:54.530{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:54.329{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53175-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:56.603{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-084MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:56.071{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F55BAB0345635F7E10850AF00F6A905,SHA256=4B021FC229D3DA86F8CC2E8A6626BC0EE6DF7FF231B1E9E15DD8E854E7F5F4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:56.008{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EB932EB737B7A823AFE6DBC64AB720,SHA256=478B418882677D5426071A9932994A80C67386624922489FF6D99FE3E6F78A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:57.678{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC01F0962059D8FA5A1EADC99816928,SHA256=B377C4B5D0C7797957FD5163DEA7CAC4101154D9208577670DAF9F96038734E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.791{5EBD8912-2CED-6154-3003-00000000FE01}51565236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.495{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CED-6154-3003-00000000FE01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.495{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CED-6154-3003-00000000FE01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.495{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CED-6154-3003-00000000FE01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.496{5EBD8912-2CED-6154-3003-00000000FE01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.198{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71546CD9BD5E2F653F2D5E822A6D9E3C,SHA256=046D82771FAABE6CCA8B5A35DBD754DAFE21900BBAC09F12C9C401BE1BB05A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.022{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AED6F64A603108C501A192F3B44E7A,SHA256=91DA037EC7F1FC1C1D80F69EE333BB6C1A15644B68DA91CBAC4C2D7CCF759113,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:54.836{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50798-false10.0.1.12-8000- 23542300x80000000000000001446883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:58.725{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E10F95B495E5B2F76E1871C8B87473,SHA256=C0979EFBEE6407FDFB161E44359936D36364FE98F5A4B5B185608AC9675B252C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.666{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CEE-6154-3203-00000000FE01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.666{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.666{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.666{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.666{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.666{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2CEE-6154-3203-00000000FE01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.666{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CEE-6154-3203-00000000FE01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.668{5EBD8912-2CEE-6154-3203-00000000FE01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.276{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F63722DCE6768C9B641F1942C15C18F3,SHA256=896B9E3CACFEB6C7136E9D96C706D131CC5AB1A2656FE4E9B74E3E98B604ECAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.166{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CEE-6154-3103-00000000FE01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.166{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.166{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.166{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.166{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.166{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CEE-6154-3103-00000000FE01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.166{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CEE-6154-3103-00000000FE01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.167{5EBD8912-2CEE-6154-3103-00000000FE01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.135{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD14DDA73BE1A3C1BCF4A4A44EC0503,SHA256=E7E241C0AEAD4D246393C2E0E7CDB5FBAB16AEF2CEE028A2B29289D416A7ED2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:55.426{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-57860-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:59.741{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F63BD07B92758DE37FD378EE31CF5D5,SHA256=BFD0783F01A49CF08B91CB75A10A2268410412DBBA73F8B96C547408E4304979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.354{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A067B551EED81210237F2C851F1BCB5,SHA256=E771D8A05FF07E4B4BAE271F4C6CAE8B83887549788CFC05B802DF9FF5E3A6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0624399F3792C694A0C5A70C3C3B1D65,SHA256=4BD2D54C2686BBA3D66A429122154F0F71950D4497B5EBB961C1965BF54299D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.118{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44927-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.077{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1355-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:56.538{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:55.950{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52224-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:55.895{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:00.741{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B48EC8E9CED60EA144B5A4E77E93ED2,SHA256=BCA8FD6D12DF2819F7512D3EFCEFD07949899F049C821C3103D43867FCC32AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.479{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8BBCF129115D165DB9694338F519D4D,SHA256=6310BB93668D68DD96317A1F717F5F32A2715251E5041E573F867E9B8A7735C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768CCCC7658662197B814151452754E8,SHA256=883F83DECAAD0DD95DD81A9DD220C533C29DFE09DA9768FC777C457129CF7D49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.193{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49645-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:57.615{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-8489-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:01.803{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F934C3A1965AD1BA4081DB0412287BAC,SHA256=DC1BE20848D06531E4692F07AA2F2ED991578FD15BB31B6263E6C2BD7663EBA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.682{5EBD8912-2CF1-6154-3303-00000000FE01}21722484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.510{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CF1-6154-3303-00000000FE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.510{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.510{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.510{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.510{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.510{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CF1-6154-3303-00000000FE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.510{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CF1-6154-3303-00000000FE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.511{5EBD8912-2CF1-6154-3303-00000000FE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E5A1AE3E8C770C460A9ECBBBAC8469,SHA256=78AFF24B4502D12896DA300BE0CB75D58A5E4037E44236E375844209382AB521,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.708{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13282-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:58.259{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:02.819{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FF6A32EB2F02E5D5A070BC218E5343,SHA256=EAC68A8C10EB9F3D036BDB11AE720493EE39F23B3E6250170EBBEE0A91C2E88C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.791{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CF2-6154-3503-00000000FE01}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.791{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.791{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.791{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.791{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.791{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2CF2-6154-3503-00000000FE01}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.791{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CF2-6154-3503-00000000FE01}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.792{5EBD8912-2CF2-6154-3503-00000000FE01}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.588{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96DB0040B2E75933ABB886F96D13A957,SHA256=2DFF10D8C5A3CBF6A353B5518455434CC820BD3CA18B9F9ADFA2606AA71646E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.510{5EBD8912-2CF2-6154-3403-00000000FE01}5976308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F06242E6B48878707D64C32B453FBB2,SHA256=6B6A7D59A10D8AC3A3FA34B3A80E20EB377F17D0FB29072E2FF6DE7F19F6EF83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CF2-6154-3403-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CF2-6154-3403-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CF2-6154-3403-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.292{5EBD8912-2CF2-6154-3403-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.183{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19741-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.162{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24062-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.147{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.139{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23875-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-18471-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.124{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.116{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.103{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19442-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.100{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-18376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.093{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23288-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.081{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19342-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.064{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23013-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.059{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19176-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.041{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22822-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.021{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19073-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.019{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.999{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18947-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.981{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.965{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.958{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.936{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22059-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.913{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-21685-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.883{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18518-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.861{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18412-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.861{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-21549-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.840{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18323-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.818{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18239-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.816{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-21432-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.795{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-21290-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.772{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-21140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.750{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.727{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20442-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.535{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-19400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.498{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-19005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.456{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-18572-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.394{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-18335-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.361{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65161-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001541804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.361{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65161-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001541803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.351{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-18205-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:59.287{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-54532-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:03.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC9C65E390DBE06B7741ADFD33E6F0A7,SHA256=CA93C9A481817F0A7FDC6C19509EFD00C34AE26C4336BF0014E8FCCEB7F0B849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:03.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED5A9D4467508E312306B7FA5EAF159,SHA256=99D2B4E3FA0EDB9220AFB8F8ED89BC0450F55EC8957F67E8FB4AC8518E452C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:03.866{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AD78DDC826EA23C1E6E53158E68397,SHA256=09CF213850F0D40F31BB006349AC5B7D36FDE91585ACF141D4721597B735014F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:03.600{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=664B19F614276795D38495B5E1A53BF7,SHA256=E46A76A352359ABA892AD4C99942E821C0BEF368DD18F1DDD1BC59CCBEF0F551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:03.600{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F016F6E875970D22819C4D7EE51351E4,SHA256=85EAB1B21BAEFF1CE5EF7D8B2D155054C089462E0A12133C7CB9127B299E4B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:00.789{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50799-false10.0.1.12-8000- 354300x80000000000000001541930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.219{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-30754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.185{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-30616-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.162{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-30408-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.140{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-30268-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.118{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-30128-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.096{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29910-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.060{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29678-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.023{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29530-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.001{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29402-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.979{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.956{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29114-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.938{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23026-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.933{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28971-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.911{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.908{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22965-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.885{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22836-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.875{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28591-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.852{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28457-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.850{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22738-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.830{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.828{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.808{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.807{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.784{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28080-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.784{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22441-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.763{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.761{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22346-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.739{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22254-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.724{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27617-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.717{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.688{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27406-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.683{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.661{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21930-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.650{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27247-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.639{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.615{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27026-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.602{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.580{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.577{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.577{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-59995-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.554{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26705-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.553{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-59808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21413-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.531{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26540-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.524{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21320-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.507{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26353-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.502{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.485{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.480{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.462{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26025-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.458{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21035-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.439{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25885-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.436{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20887-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.415{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.398{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20798-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.376{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.375{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25457-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.375{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.351{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.338{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.329{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.314{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20353-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.298{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.276{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.261{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24664-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.239{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20012-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.238{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24388-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.205{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19920-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:00.199{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001541861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:02.995{5EBD8912-2CF2-6154-3503-00000000FE01}24643980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:04.866{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADD104D503A9D19DA7BD06AEA7F4F4D,SHA256=FEA3337465A5AEA0DDE853CE716556ADD4993131B8F04839BCD17490AABA1946,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.620{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CF4-6154-3603-00000000FE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.620{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.620{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.620{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.620{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.620{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CF4-6154-3603-00000000FE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.620{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CF4-6154-3603-00000000FE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.621{5EBD8912-2CF4-6154-3603-00000000FE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.834{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54250800-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001541933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:01.241{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-31028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:04.725{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=664B19F614276795D38495B5E1A53BF7,SHA256=E46A76A352359ABA892AD4C99942E821C0BEF368DD18F1DDD1BC59CCBEF0F551,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:02.267{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50800-false10.0.1.14-49672- 354300x80000000000000001446893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:02.216{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52738-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:02.193{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52629-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:05.897{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A7FB41FFE4B593F0CB7A07F3B80751,SHA256=FCD91B7B338641EBCBA70B1E11B5D2969B05E86B156385A059D9573CFA648109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:05.866{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=797B0172BD5F285DF6CA84AE2FB0E4CE,SHA256=5B3ECA4D3712A27A6BABEBDB63B72059CD5D8B3254947AEF2338C329AF83CE2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:03.308{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-58540-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:05.632{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B63D3DEEE4635A975EAE0A61C737B341,SHA256=CA1B8A50311A23E924B897682A17BC03770405C7B0AEF30001FCC0E1F7207368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:04.995{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6AF67330C62C7979160F62002CB9C3,SHA256=8B22A24A5191058CEB223E48BCC68688C05ECDA91816C7FF546F2E66F4B95220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:06.991{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9EC254F291F8C94465D28B91C80C824,SHA256=0E0F1AED37E2B7E59E92980A64FFABA8D47421E068E4181244CB8239CCC9979C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:06.929{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B373EB53F3CBAD9E799338A84F580405,SHA256=CCE41011C934112E6708E0E217A035AF232E2DC09FE5F96E44A86FC7CEC7A6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:06.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869AB532116CEF274A216339F8329BDF,SHA256=1DDD1664D71BDBA02BED68673B24E203AE933635DD6AFFC5BC72611A5C086066,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:05.575{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-11789-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:04.434{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5742-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:07.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8911B86636BEF9801228C1A264CFD884,SHA256=2506A74B2375FC2A4513123A1A1F0A5DA609C96B121EDDEC8A6FD29E297CDD7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:05.419{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:08.022{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66C80DC74CD48A7494CB04F57BFFA60,SHA256=7AC0BF3349841997F3AA505185666A43E0C8BCFAC87F6B862C90D0D5267A4982,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:06.684{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17580-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:08.069{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2016C4B140CAA8EF13938FD840F11B,SHA256=FF67A5FF4CA039E307CEA1A6A1FE140D5652E7EB89A8E6FEF602052D662345FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:08.038{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06539A6F21120074E454C43359DA3C4D,SHA256=D9C1F477A3742036BDCDCE0D40080987F9973A2BF468580A0C491EB33A44A117,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:06.789{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50801-false10.0.1.12-8000- 23542300x80000000000000001446908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:09.210{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4337D15C0B8E40218412A67DB3C454E,SHA256=556E0A925901A01BFE65DD4A77A81F6F3A97876A1F6691450F87CCFA914D264E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:09.069{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B603B822CDD736914D75D1A1698C76,SHA256=EA55814E4B6B1F1BF3C411D3166A01299534CA0F01B39F1A321AF7A9B7DE9978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:09.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A9F841D3A02F30B08842812476AE6B,SHA256=8D5905A34326CEB72A39194BAF2F98C4BC56D18F8F3796BB5A299171A35B1C76,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:08.918{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-30019-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:07.778{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24052-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:10.335{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65B9BD637D239B21F2B7A7D3497A44D6,SHA256=1B6073A2F023B8004EDA537E36EC5D8D1A81BBF76EDB6B2EA9EFDF29CFB281B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:10.069{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CC8FFCA8225D3189A9D70AFF6AA6D3,SHA256=570114C164B22128F597C151A4F8D7957CD8452C008DCA7D31C5F8CDAA80E46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:10.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022C28B527E30552536592D42F74EE12,SHA256=073A2B25290560ADCF824B10C6772DB1F92C6D42006FEEB2C8B1CAD21BC95260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:11.069{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31509C84CC9190D332F60397A97A5085,SHA256=E05193A8F44AEE088AF50A0B14E6A56D223C2FB4E3860A023CDB12B061BA87BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:10.039{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35892-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:11.444{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47D9711DBB7427DDD227329D7F8F9F6E,SHA256=8BBE8B35F424D61C38A12772ED19F48CC9E046A2E45C56E04D8BB93408331A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:11.085{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5234FB5CE46A27CE6875CC4D5E4C4B03,SHA256=0B6C495605581188E3C3C2AA4C548A547D68470994D46B083CA448393FDF3DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:12.069{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1029A66BFD3C41B9C67F0B2E02AD79A,SHA256=8E69BDBC0ADE84366636BE9658ACEB26BABAE4DBE121DFA8064C87F32FAEE123,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:11.149{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:12.569{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A469839EAA0AA042F2A90B196DE495EF,SHA256=7362D24EBA8F3B4937493E38B376AB95010C442BDCB6D60278944A77A460651A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:12.101{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E643697968B3A648C8B6DBB75BDD7A,SHA256=A0C0F73F9AFBBB654656F52724120958C8782296DAFDA7CAD31978E3FA159141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:13.663{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7768A786A152A4224A4CC6E3F6577C4,SHA256=146B3988CCE6A7AD6CC4A25062EDB103EF98A31237DB02ED61846ACF165D848D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:13.116{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FA47394AA140E00405B14FC6BBFBAD,SHA256=29BA15A3B9E3BE7FCAE3D15FBDEC2899573FC36F4EF0C355DE2C303B93C1A51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:13.100{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE4FD7E80AE2C3E121E0C7F58AD7BBE,SHA256=ABE46A03985281F98D018CEBD71F332F19FAD403286D906F57D5E1551743747C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:11.388{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:14.100{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA796013AC799CD8E0D53FD1BCBBF4C3,SHA256=74A285CF268872EAED262D01CC520AF438362B5E7B3E0E88E66176A9A5C96C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:14.913{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FFAEA45E54066C38132124FEC51806BD,SHA256=637F5E24D3E3A32ABC8AB0CCC696D6B90F20E1D371D06332EC81637966280A20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:12.274{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-48336-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:14.757{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=728757403574C4551A1CB466C2304985,SHA256=314DFB827874A1E587D1C66421E3FD5D8F34B605C24EE443608509766139960A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:14.163{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778B30B5345224D3CCDB1AFD47048DE6,SHA256=35B1DDEA5F9B2EBD22B668B5D9ADF9F8EDD19927CEE09ABD10EEBFD3E8F16501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:15.132{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C73290713F333468CB36D7A1FCCA9B,SHA256=045338DAF9D64E116CDAFD0D6DF66BF7CD797F1B963A0B7D9499E3EBDEC43B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:13.372{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54332-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:12.711{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50802-false10.0.1.12-8000- 23542300x80000000000000001446927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:15.835{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=912240BFC7BB80D58F8B708B3AF53192,SHA256=2CDBF7FAC839AC5FED4955D0237D635448970D6BAA7BED09A97B1EC1EB46BFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:15.179{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A2A47B22E2F2EF406DD5C5952EDD1A,SHA256=EACDDB36CAFE3AB651C67153E3972C7FF7A2B21CAD4F99B54471E3AA706967A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:16.132{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26A8037D25547E7BDBF7B3D9D1EA729,SHA256=1DBF2DF9A0981000F96B2CF62158DBBF3828F0AF6ED6A19069747BD0E43C4C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:16.960{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82B1F9546C8E34B196F9216904F8A953,SHA256=BDF2E1E8CBD06F32494DD42B92E00AF03C36DF5DA084E700F8A2DAD64865B478,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:14.449{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59986-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:16.210{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:16.179{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8439260652BA1EB6F6D727183D94AE1E,SHA256=D1D8CF6B1AA342773A5232605AC075F2BEBFE03DF873630EA1416EAF7C57C66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:17.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4014D64B62045CD815350125F9E3CC8E,SHA256=CD3A383D39E2631DE4DEB74DE0898126F2E27B8CACA2E8FE0643204064B687D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:15.529{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6826-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:17.726{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:17.726{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:17.726{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:17.242{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F391797F5AA7411A2AAB7B66B4E9B8CF,SHA256=B0EBE3C82A59C91117F0AF3D9914ED2F6FC20CA01BE08624ECC5C891459C6241,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:15.882{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50803-false10.0.1.12-8089- 23542300x80000000000000001446940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:18.257{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C173623FEC1770E89214A2ACE72237,SHA256=3B9FDE4B4635D0D901E9B569EFEC66FE70804F9B0E38B6134C229A85DC0DFA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:18.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161EF8D468598D39BD7F21DAB676A65D,SHA256=02F6E871C252E3D5DB2F3300803E623F47DCF4AC404AF535125E2BA98199D85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:18.038{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1657631DEF6A3A74BE86D5E310414DDD,SHA256=1602AB5E077B84EF4D70993AB99958C71473BEF646FF0A72821922E77F10EC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:19.320{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CCDA0C592A8F53C86E1EE2CB0A5F02,SHA256=B02B3A431025FD6F4EAC591536737657E6A36434386B6B7FB51FBE43DFF3D65F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:17.357{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:19.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6851180578D67C8C6E2B7912AFBFDD1,SHA256=71AA7CF5C9F8F5CE31B753CFD11ED00FE52DD9CCFD60C105061496417BAC7171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:19.132{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB18288046BFE4632C831F13FBD4A466,SHA256=45FD7CF717BF7A007612A88FA1BEAE87B9580FE7F4673F207F9D7E2E84B6A507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:20.226{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BA48B0DF6A7179E40173F8C3FFA427,SHA256=DDC9314F77C3D7FCBE28CCA0795836F5D656D091FCDA44938F50B575A6909109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:20.367{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B04EBAF9DAB5C1B64FC7DF46B333A37,SHA256=2A9480A293D71EBFD26D3D8BADABFA5CB7F28631C8327E4AD95816AB797DE196,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:17.851{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50804-false10.0.1.12-8000- 354300x80000000000000001446946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:17.731{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-18912-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:16.654{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-12706-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:20.273{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A2AB02244F6F8CF8481D553AAC78F17,SHA256=F0F4AAB896F032B3D08FC5923A628057342F48A1A3C2D10D6F833CDA190239A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:21.226{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCA8BC2F41E7DC59B0BBB5489A0B7FB,SHA256=5E894FFAF0D03F90813AEE10A5F68A93AF690182E4598550E0FF387DB6774BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:21.382{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483E48D81CFFB1072DAB210DE840F5A9,SHA256=8301368B1D5647793654F06EC445E276B870AD6EED1E343631603FC9E77FC028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:21.367{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9932B267CCD5339CA28D3562D3A31FAF,SHA256=5B1954B3242DBECC5B27DB15140058413F630FC85CC75A2F04B10638CC65E13C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:18.842{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:22.445{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0DC26345017FE7898AA1D72E763135,SHA256=0F090B89C0BDA05DE1D1ACA5BA6948081A909040C9C48548E796714298E51157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:22.429{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1F1759A58E3C353F20F119E5FF406D,SHA256=C8ECF6C5F394357A5514C6E61F7A282C20927FE126D5EF1D442EEB9A1A832BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:22.226{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A18875F795D9C1885DF10D6CA246BE5,SHA256=53971E59AE54BA4D92FCA1E13876E009EE9A69A9883C96E7FA9D2C8F611462FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:19.966{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-30728-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:23.523{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8800DB899D95DFE3A5FFBB9145FAEAA,SHA256=CB4CF2A07BBF5A14D579020B286EB96DD411C7EA3D4238DCC6F816D5309F2575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:23.445{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42376E2F9D043AD92A84A586D5B94E99,SHA256=29775170641A877AACD81FF3A71BE6CD26AF9DB9DA411A59F8A2EDC6FB8AA29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:23.226{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9EDC77BE4784EDB20B36988713D683,SHA256=CBC6D922AF38C2AC33B90C3177863FBF1850A3218DF6C6E8E57F3C4CECFCE7AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:21.059{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36949-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:24.601{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=907B45EBFB8AB4F0EB116525AF0FD8FD,SHA256=2B904A40DE8508B5801228A28EDA140292C10EFF0A30F685BF5ADEBC2D820B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:24.461{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E867CD7A4773294A16ED1FC10AEEB686,SHA256=A9D04FF361774FF3EABB67094440055464C96782941FF2D1EDDD51D314BDBF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:24.226{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88834BACFBFBFF8FA394E169FB8E408D,SHA256=D296961B1BC37C4CE65F5AADD441A741461E0FA8E3C2CE0B7301B45D8F6E06FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:22.137{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42817-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:22.373{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:25.226{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BE3B790483ADA87D745BDBDF40AB7D,SHA256=258C69BFECFB5988DB55E5A447209EB6F6967C430B97ADD07E4E124E83D39C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:25.806{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52B46D5BC7D857874F2FEB5C6FA2D2B2,SHA256=64E02A2EDCC0E422B00D0369594C1EFCE86A7A6E4F1FDA276C55D34226B947BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:25.476{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C32FA926C416DF0133D971968C575B3,SHA256=AA7047D623276FBC9E6E1D6F2AF07E4FF5FE3F5A10A76D466D24632BAA7E6D75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:23.788{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50805-false10.0.1.12-8000- 354300x80000000000000001446961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:23.215{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-48907-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:26.448{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4919EAA15D833C006F7CABD3C9349462,SHA256=72C2D58F2EE8FDD0BC28574F13095F7BA5B5677EF633CE8F4BE242527732720D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:26.919{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=918D9FCB6EC0396B72E3EA3A13EC8B57,SHA256=BAF0038F7DDFBEFC7FF4A5B6BD75055B3D2AE72DCCBB17319264201D660517FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:26.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C6F1285873E70021F6A6A92728BCB8,SHA256=52B6AB5C39AF60DF552D1FFE3ED02C88C2184C1F78BF9F687069FD3004E5E1CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:24.308{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54882-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:26.204{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-084MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:25.510{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.512{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D9FC208C1054DCE9BBEFC3667B6C3D,SHA256=95785A87D43E314F8E304E91B542ED8AD83F13339F7454AFC90E98F8796D1178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:27.448{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E843690080B8E64F46055E3ABB7CFC,SHA256=0B98B524240A20C921B3B5F8A4F5F8CD62E87B049E955E260E5AB4AB9CA3EEB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D0B-6154-F802-00000000FE01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2D0B-6154-F802-00000000FE01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.434{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D0B-6154-F802-00000000FE01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.435{69CF5F33-2D0B-6154-F802-00000000FE01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.186{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-085MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:28.494{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF1D4B1C11490693EE6B5CB1AC5762,SHA256=11FF62E6F93717D007D219A54D1742B511DEE61FEB4D3952D55443D2B164F17F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:26.611{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8364-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.517{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D9A0B9EE20FE2B891E978AF26DABAD,SHA256=D813AE4613664839CF9B1512F32D695E294D491692062148C65B1499805FE7E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.455{69CF5F33-2D0C-6154-F902-00000000FE01}8042612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D0C-6154-F902-00000000FE01}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2D0C-6154-F902-00000000FE01}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.142{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D0C-6154-F902-00000000FE01}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.144{69CF5F33-2D0C-6154-F902-00000000FE01}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.002{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E807F41B90C97279E7E86B615B6D2907,SHA256=ABACD84E0BB670FC7590A50B677891B2860914821E4AEEEEA48103B470290D8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:27.439{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:29.494{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468C6BF2C68DB54839F53009B4DD4859,SHA256=8147C3571A350F5ABF07520F4BED9AD7C5DFAB753D1E5105969D2B7BFF0CA30D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:27.721{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14423-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001447016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D0D-6154-FA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2D0D-6154-FA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.611{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D0D-6154-FA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.612{69CF5F33-2D0D-6154-FA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001447003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.533{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DE9FDD8C260FDCFB5F4AC255218513,SHA256=BA859AE7A07EEC14673886FEE225C8669B815F2969A23D01B53CD935428907A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.158{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C48FE1EE7FDD43A230478A213DECD36,SHA256=30D9D7C5F6C05A1BF9D7CFE52AEC4D7DE5463ACF1F5D1F1DB4F7B962ECFE273A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:30.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820648A3DB63DBEA750739C0B70AF22E,SHA256=FBFD80C806E688E7CDA38D5564881CE14E9C69980D4252CF2E17EC90F459B020,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:28.897{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:30.580{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6767313CA8DA9220E80E40A7F4DDDFE,SHA256=F79F30508228F7913A9647E1CC0FA4B7543A89EB4D7ED4DFF97FE00585123422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:30.392{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E0D139BD4CEB526FB9BA5BEA9E8FA64,SHA256=3F770A10DBF740117576847F6613E9E51303400BB545CDD7C65FC5F227D771E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:29.689{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50806-false10.0.1.12-8000- 23542300x80000000000000001447022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:31.580{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A54635AE34C73F726128628AE62F1A,SHA256=60F7D175EB8402DF89640139F2F781FD318B2653327C68B1E57B7C07693F0A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:31.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2F5CDC83A3E27EA5939E560DDB9E55,SHA256=DC326993A626F0C6A83CC09F3E22EAC5CDF7EA16BA2C9E5E41DE71CF3BF5BC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:31.471{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA9ACD5036CFA181472512887D54B4CD,SHA256=E0E16F58B0EAC27267686CDE14306CF79451FE1ACFCDA28097E50D4A736CC7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:32.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD8DD9B3783B3EC4FAA778D66FB5299,SHA256=699DF0FC1E2D2A925D2B8C6D2C512C7A71C2F715445B2273A0D2DADFC7E73EDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:31.162{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33434-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:30.085{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27410-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:32.611{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA379DB7C047C594E41B91F511A4E9C,SHA256=0B2F559F8924905E504F92110287BF3ADA3092D37E07159FE17207BB9CFF145B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:32.549{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1525986C6739676C0E7DB45E6B076D35,SHA256=BAC823EB80FBB062AB46A65ECC11614C561880E35878453C167B4A0073F6F0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:33.807{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D10B71219B33CD7059008346FFD1E02C,SHA256=85D67E110C9C47FD4E83430B411489A1A4A669F54C367F8C579E220214A000EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:33.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F63F437006065D2FA7F720893C8FCB7,SHA256=03CFD37266BA6704ED146C3D120C2DE68C2F4775B125FED6647DD7D3320C5716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:33.658{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C007D1C3E593509991FFEEA6EE4477,SHA256=136119D1E791CD05B4DA17C92306F62F3CABDB13EA53E5D4F95A22F40C12D367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:33.627{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42BE67FAA9ABC4EEB9A651F9317B1F0C,SHA256=21088A68B1A3E56089C86B0D6C981AE0C134330EE3E6257DEB5297EECE06A5BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:32.486{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:34.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E294DF38FDE0F34446B1FDDBBF663CD6,SHA256=42218CB884F4E8EFB9FD2D678B090D7CC765C67F97324D7A00A9A025ECD488E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:34.721{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4DC7B089502942F9A8DF2812D5E0A96,SHA256=45D4D4B588130AEC04E0BBE0DD13381C320A5B037DA20FF231A0FCD1EE8CCA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:34.721{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CE707835CE76C68E351613A7F9041A,SHA256=8BA50771CADFADF987EDBB19E7BCBB2766D67170279A2CC02A550EE274B8AEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:35.799{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9865F951221F01C2B83DB5D41D36A4F,SHA256=A25D1CCA35E457420CDE358003E0B2628656792AB8A1CEE242C2662C24F24D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:35.752{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516FF387DDDEBBB3F2D0C58D985323F7,SHA256=4462591BC49E7514C5497C29D25129134BA67C2A9A52557FE1D515E698894BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:35.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4977F47F93922AD9A6B37B9EC5FC7D,SHA256=E51C6E169D1451C50F644CF83F9CDCB8076AAD6BA4ECD31178428A234F765530,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:33.319{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45510-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:32.241{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39483-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:36.924{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10F0E7A429246FCC82FA0B9DABA6E58F,SHA256=7F063B8E733D6CD39309E379975878314B9CE8C25ED02F7F234390F2DE84579F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:36.768{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=411E837D6F9B1BF1ABA1F620C9BA0EA4,SHA256=80B6A2DA680CFE95A10DE607F47B259C742D6C44B4EB2E0CEF4C69512EB79D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:36.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A447CD0F45E9CEAAA4BAA42463CA48,SHA256=EB50DB2ED387CB8F09A4F3191E1EDB9DDD7E9F95323CE94B006286B9B2F48DE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:34.720{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50807-false10.0.1.12-8000- 354300x80000000000000001447036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:34.412{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:37.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B879C76A582702243689E4BE3650418A,SHA256=502F74D0F5AA5BE70F415F12062AF2510EE1553C7FDCE531B706AE270410FCFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:37.783{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3940FA0EC461405DBE29F99F43A93D,SHA256=B93E57E45731F8A859F1E410A366943820069E2AA9CF6E09CDC1F59B4ABA96C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:38.815{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD87525C8A5D97F5A23AA36B0A8B945,SHA256=95EA616C6DEA494AA40989615B3C23715B3C924E8BC74C3D2119B074494E05BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:38.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5B2968365D1DD9BACA97CD655D9B09,SHA256=5B66F9B32D65CAF231C7B652CA7004E8E4A1FDD6811CC3A96855797CDD0E4BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:36.634{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4678-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:35.490{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57595-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:38.033{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261E25D8C254F01CC054DD84100A3EBF,SHA256=D1F6D2AE91E28E5F7D8F8FD22132F1A25B54442D02688A6A13E926FCC95B31B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:39.846{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832AEE9553C5ABF4C771A93BEF18CA64,SHA256=4F038BB717BC305DAA18BBC304B73262C5D0672C15776AED89FE5DF62E9C20C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:39.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F1E89E5E24329CC9514C4DE7D8E0E0,SHA256=5B2A29557A99235596B16D401E533AAD086A5F681097C6FF9FAF99C257F8CE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:39.159{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29F2E7D3EC7A876B626A7765944C5A44,SHA256=F1F22489ACA9CBD413DA802ADD4B510403A5078A593E91A8552069E148815CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:40.893{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48773619315CEC7CB625563C9D5AF816,SHA256=97F298C74979E5F6C5BC56A018CE159AE4CFB0A9168841D31039BE9F381E7966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:40.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8F0F9CBC048AA70FFA9E5EC53C39B5,SHA256=6D86619F0720217A73D5B5C77D9434979296E51D8647E8BA2630FA48B6FE946F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:37.739{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-10841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:40.237{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0115C4C6910C463339674D54DB90E686,SHA256=C1A9E446C7FB0651B6914FB027976B505A7187D2B671E0A633B88F6BA8BFB02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:41.940{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E716B25F83080D41EF1F66A13AAE0265,SHA256=991E919306E7F15E65B990E8B0F3E44784AE16E87EDFED96A9B77452652EAA70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:38.486{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:41.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1CAA273670811656B84194442138AB,SHA256=5F38D99D3E8556B1A8D0220F0F3D2A70755AE2B0DFF9BB63A650BDF4077526D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:39.928{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:38.850{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17136-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:41.315{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE4156289F03723EBCE078454CCE23D9,SHA256=8ABF35AAC5FD331DB9CAD728DF12FE29257F5C5D348AA969B493D6FC6DE101CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.956{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F272D2E7D268D15CBE22B7238C3C325,SHA256=9C57E6F1DA4F169E60EF8D98D134919769DBC90A8AA7D3D06CFD99BD02E131CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:42.495{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AF8147537BD332D3AB04E6177E1E77,SHA256=231C1592603C257FCB59027F9625565A0BD4DE23CFC5D1095FB0CE106D2DFB1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D1A-6154-FB02-00000000FE01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2D1A-6154-FB02-00000000FE01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D1A-6154-FB02-00000000FE01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.784{69CF5F33-2D1A-6154-FB02-00000000FE01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001447056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:41.021{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29096-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:40.735{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50808-false10.0.1.12-8000- 23542300x80000000000000001447054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.440{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA864F5DBF0CA6AC891DD090A2097497,SHA256=AAD40CB80A3A011AE6501FFF9BC9B795A19D220749807FA6AB921B0E29047CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77786768B0644CF4BC93B0AC0FE02E60,SHA256=FDA0988A0EBAD93009B15A0784569258FDD70A5DB5993F61E71EB671265AD660,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D1B-6154-FD02-00000000FE01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2D1B-6154-FD02-00000000FE01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.971{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D1B-6154-FD02-00000000FE01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.972{69CF5F33-2D1B-6154-FD02-00000000FE01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:43.510{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EED54B0D1F77C2308FF8F4F0C1984A,SHA256=5595925747748E45F97296CAE69009FB11D8128C102DDB76B6A68184DBF36A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.565{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5A08F2F6780ED46EDEDCD84380DD5EF,SHA256=5859DCAAC2BE26A3279A3E42C3A4E8429B86C758EB20EA262CA67AC46D7DA977,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.502{69CF5F33-2D1B-6154-FC02-00000000FE01}15281512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D1B-6154-FC02-00000000FE01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2D1B-6154-FC02-00000000FE01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.299{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D1B-6154-FC02-00000000FE01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.301{69CF5F33-2D1B-6154-FC02-00000000FE01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001447071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.018{69CF5F33-2D1A-6154-FB02-00000000FE01}19883324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:44.510{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0B5030A86BE86F1E1A138ECAB5F240,SHA256=63D0ADA8ED1D0D4D95AC43CDA63907BF5AB406FE10AA386FF1BE69A78361F3FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:42.145{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35437-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.674{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E77A0B5B1CFF1BC4A5CD324B7B37AC07,SHA256=249405C70D645B366CC5B4F20FBBE64F0E4B9CCC2F112C196EC6D27EE5C87FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D1C-6154-FE02-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2D1C-6154-FE02-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.471{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D1C-6154-FE02-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.472{69CF5F33-2D1C-6154-FE02-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001447101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.206{69CF5F33-2D1B-6154-FD02-00000000FE01}2232644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001541993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:43.564{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:45.526{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745CD81EEAF6C0F6D4165CE434713BD8,SHA256=2B21F49EDD387CA5B04ABB06F3A42885616F79EFC96269E9758408EDFDD2BDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:45.737{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F824B7112E1AD1CA8E3D7B4425E6DCCF,SHA256=7728D1B13D39B62D0A913E9C5CAB31EBD9A76D64A9DB5935D9D90415719E1B25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:43.256{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:45.143{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C0F4E55C0602DFD5051707F79C5453,SHA256=35EDC4BDB30273987F8A4E46B3C34A4A12E6C8CE2A9FBC3E52B81448B5675AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:46.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940D8B29527A81573541FD47CE64C030,SHA256=7C5CB35CA9FAC47ABDD1E9B7F40A45637A2B015A3299EC8C38B745174D8863B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:46.831{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92353DBCED73FFF1139691D59F8FDDA3,SHA256=46DC3B5C615EE71B1E0239B35C7A697D6BC17BCE13FF535979B918D554AE9B60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:44.349{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47511-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:46.159{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E82887F4818AE31F1132F1C38EC05DF,SHA256=913703F60F57A5758F45EB91DB4B1DB5A6DF2FB21CD189E4A1ECD54538996B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:46.107{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:47.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767D73FF40F59C2FAB148A94D56DDCD3,SHA256=E551443218BF016C90D6271764ABCEA003B8C0E33A38BCE0F5E8385303328BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:47.956{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81CA63F8A999DC3868F20125F4F958E4,SHA256=F3D7636B17FCA58F16801719A28E85F403A1D734B368AC3688A9693813922680,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:45.430{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53651-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:47.206{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D82B011EE5D896767B3BE41F3AC76AB,SHA256=D3A5B2A90A066BC7F5F3ECE31EA8D7E02F14872278BCFB93594D1446539D0B84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:45.411{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001542000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:48.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B92380DE08493C52FD40154B3D63550,SHA256=1B11C629E19C51868A16DA5F77F3B0C2F1EB0FBCA344D00623C6D4CD8E2383E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:46.533{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59554-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:45.767{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50809-false10.0.1.12-8000- 23542300x80000000000000001447126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:48.221{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808305B641B092749144F5D6AAD0BFD1,SHA256=EE6C60B23DB24ED0146CB211D5F9709C92B53B6D8953F00CC8E4311E20C89C6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:48.498{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:48.498{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:48.498{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001542002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:49.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D67CCE799656FE5B27D70CB91FD30CA,SHA256=E39B6B97AA892B6DF0E2F07EE3C02C70511B40E1E30FBD5D05B0FD051C45EDE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:47.671{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6771-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:49.237{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164FA3F433086636E4ABDB36EB26217E,SHA256=AFE6431CB0E731F4D75F526B549A8EC3714F614BF9F82C31A6A807511999411F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:49.128{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=486263E16E95C02CF3C8C99144EF989E,SHA256=A6F772EC608761220236CDC6DFDF45962A0FC6427193A203BB94EA8256C3424F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:50.268{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD01E9AFBF6DE028F5055C3E7B7E7D1,SHA256=28E12F93AE12C15BA03B8EF80FB2589FD3C37C0700AB06AC8B5F9620DE534730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:50.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA16F0B74060A7DA330E9A28944FCEB,SHA256=8E622750BFBF42226867584E63D6CF1B67DB1391EF39C47A58429E5E0A9BD510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:50.253{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48781DF84AF03E9101EBD7FEA23C9412,SHA256=8AAAE049F17E6F3CF226601EFDB80F80AA708C6CCC02A7FDCB0D52A186829E60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:49.442{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001542004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:51.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BEC84B2EB11DB504B294AA6A1810F1,SHA256=2C92FDA9568EE455B5CA885AC9EE67D7272B913C95F3CCE42A4D3A547369918E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:49.943{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:48.818{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13438-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:51.347{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D682C95EA854AA2AB001B7B9E259EC,SHA256=EDB60BAE10617BD39F5A00F59199D0A6E93EC4000BB216133014E7A903065308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:51.315{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C07C60890721EDE0DAE63255F8065385,SHA256=6E71FE69891E548406D46BC4FA0E85810355C6F9FA7A2ED0872E2283B98E7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:52.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFC62D89DA83A36376E1F6E92EE0300,SHA256=2A3FCE9259A2CEDD022266996D73E5B0A79A477D0C2BA3B94C0F26366620A9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:52.409{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41FDF93000C56AA3D9B55EB0F799DAB3,SHA256=2E6D9A0F128EED18963D480849036B732B2ABF5425274C93E199D61FE2AB9550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:52.362{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9252EA02DDBDEB673309D2554547765,SHA256=BA925C01D23A3F483212D7DABD7EB846C63378B114DA5D546EF372A72DEAD989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:53.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0396C4ADEDFC6E63213BF106F14EA106,SHA256=9642300BF1CE21BCCFB5233DA53B2F7FC8791514EEE058110C91090CF77811D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:53.628{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8B9C36457B8174427C719438FCD0FE4,SHA256=1D4D8E131EC7099E38FFB2108695391161AB382B046CA5D7C404FB05A2C1297C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:53.378{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E726B811C4AA1DB44C007953AA65DE,SHA256=23DBFB285C2CCD94B49840B9641A70EA7BC3DC39E9A93434FC44651D8281CDEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:51.021{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25781-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:54.706{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70FF4EBEF9ADBD2A099F03355D1E7D38,SHA256=A4B56EF9389A73BA34D785FA8A800751554D91D3FDF286CDA8A74A2CB24468BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:54.394{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AC6B9F842E465A4CC6CDB7818EE51C,SHA256=15D83DB6D56F2E95B84674359C4C3162DA4DBD5D13EDD5024C85EA0DAB509B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:54.560{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1621C5DFFD413521C75D5F1FB27F35CD,SHA256=13F61CAEBE97681139600C87CE3E32175F65C5ECBB369AE19EF9B59CFECDDFB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:52.114{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-31415-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:51.736{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50810-false10.0.1.12-8000- 23542300x80000000000000001542009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:55.576{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D91873E57847B84B6FC8E4A0683FCCB,SHA256=61E538F023D3A0EC2385F031E52997A1FE615C6D585AB9094157CB7012B6CF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:55.831{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F13BE956BF0C447962CAA59241D24FE6,SHA256=EB008079E6884468E56DA1D4B9207474F77CEB0FF01BDC02EC5BA7D54D8BB66E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:55.425{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F310D411C2FAEE1F1F19CF65F96D33B8,SHA256=90A0D033839043A2CB7A260B406A6C0B4B661DD6585A7CC0499D904DBC877C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:53.318{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38029-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001542011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:54.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001542010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:56.607{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58C19A796105E072EAEDCA63AE3E5FD,SHA256=48878A9BE0BE8EA1CBF3C0AB8008E594BCAD79ECC2922785579495AEBDFF0123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:56.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23829BAB98C636151B63DB964D0D1C53,SHA256=0C6B5170DCB3914AF1FC12CE53422FCDF0E00F3267237F65ABAF403EB3201E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.732{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EABC4FD661619553221133CDC6A67D9,SHA256=158744E44C2AB56FAE7D2F8C6D9BB5B004822D4861A1C9526CC65BE84F60BE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:57.456{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BD3BB0B947563B494220F19F2A603E,SHA256=A0D021C1DD9630CFAE75EF7A322A92B5AEEDA3D9ADC4A19D77A3363A301D345F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001542020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.513{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2D29-6154-3703-00000000FE01}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.513{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.513{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.513{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.513{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.513{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2D29-6154-3703-00000000FE01}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001542014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.513{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2D29-6154-3703-00000000FE01}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001542013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.514{5EBD8912-2D29-6154-3703-00000000FE01}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001542012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:57.126{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-084MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:55.536{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-50215-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:54.412{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:57.034{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=308657BCFDB88423191F9F743714DD5A,SHA256=3E52F999ECE06594450988CE62B5DD71E9FE858270EF26CC030356055227DAA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001542042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.796{5EBD8912-2D2A-6154-3903-00000000FE01}51881500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001542041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.749{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007B26CC865994099BFE6F6CAE9A348F,SHA256=86F47A7DDEA1357D27871B1C0E1632D738DD4FBEE4294FE41872CB819CF435E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:58.472{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B492E1BE5C0FE46F94F715AC7E3001,SHA256=A915F46618287102C245D6FC8798AE60D33063C7971C3645DA2D4BEE17FC44AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001542040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.621{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2D2A-6154-3903-00000000FE01}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.621{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.621{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.621{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.621{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.621{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2D2A-6154-3903-00000000FE01}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001542034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.621{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2D2A-6154-3903-00000000FE01}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001542033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.622{5EBD8912-2D2A-6154-3903-00000000FE01}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001542032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.590{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7B207DF6682BA7902AD59B2C5BA529B,SHA256=C801F46B4900101C19E640124E45F9ED45CF50AE4BA1026F43AC1F7EECA5CB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.590{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC409A594541DD1360547C427B80F990,SHA256=A2F4C30BD1E8196FC56780BF5BB8B87ED9EF4C5458EE83A3FD9970AB2A5D7A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.139{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-085MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001542029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.013{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2D2A-6154-3803-00000000FE01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.013{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.013{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.013{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.013{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.013{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2D2A-6154-3803-00000000FE01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001542023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.013{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2D2A-6154-3803-00000000FE01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001542022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:58.014{5EBD8912-2D2A-6154-3803-00000000FE01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001447155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:58.159{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA83C4F5E9F47CE2F4F5E21BBFF9D37F,SHA256=7445E1C08CF2A135149F95F6BBA7C3029D35C2CFD279E774B44B22E908E4CB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:59.749{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E79D7513F1786D5E3400017356F837,SHA256=C54C243DD3F9C0EF5757ABFE8516985786251E0E73F6CA7835B8A87179CB24D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:59.488{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AD6B68DEC35BFCB227450500CBEC72,SHA256=14EFD8E19B8E380CD66D99E9345A5E99497CB39B776C2F2D53BFBD2242208005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:59.656{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7B207DF6682BA7902AD59B2C5BA529B,SHA256=C801F46B4900101C19E640124E45F9ED45CF50AE4BA1026F43AC1F7EECA5CB7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:56.907{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50811-false10.0.1.12-8000- 354300x80000000000000001447158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:56.737{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-56236-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:59.269{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEA4D8C09BD8C110FA8423489CC9E41D,SHA256=2A4D23E386CADD3CA37E11C1A423647B4B839F17B2C4721BCD2C8525812BFBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:00.749{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4387A4D9A65336F77E783C60D3793313,SHA256=5E209ED8680223D75EF29DE8458C08176FF99F7C7EFBE354A24F753ED7667422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:00.519{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3E71A24078D82F1EE7A55CF7217B37,SHA256=A0B6B2AF24A3BDBAB83CF71C257DB076D1CB15F0E628601AF6A5C9BFEE3EDF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:00.394{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59D92E6171600BDC841F6BE69759947A,SHA256=A667FCD661908AFCBFD7F4B7BF294726EA52AD5C3BE919A3AE150CBAE005AE9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:57.869{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3794-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001542058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:59.365{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65174-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001542057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:59.365{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65174-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001542056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.749{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A3BB4FCDBB2C2840EE893573788E25,SHA256=40B3DBB941B0916713F4553DCA0FA750ADB48B20D0605D02820FCDBBA8101D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:01.535{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14D0B821868B8EB61C8B82E3A32963D,SHA256=50BFF31E446BD7E35735DAFC55181EEE909CD6C4F19FEC202ECA4DD8B7D41508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001542055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.718{5EBD8912-2D2D-6154-3A03-00000000FE01}4284584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.515{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2D2D-6154-3A03-00000000FE01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.515{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.515{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.515{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.515{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.515{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2D2D-6154-3A03-00000000FE01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001542048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.515{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2D2D-6154-3A03-00000000FE01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001542047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.516{5EBD8912-2D2D-6154-3A03-00000000FE01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001542046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:01.046{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36DA1990ADB74E6B021165A332F7051,SHA256=A4EA6880B14760AA526A1B50E4C2D76973CA9568C0E8B8FFC8FBD0B784E1D874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:01.472{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76A8781D48E96D7CBE8EC2D7897C56A8,SHA256=5DE7339B4259084D247C83F8AADA78314F93E744586D335FCEB09BFC43132DAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:08:58.974{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-9834-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001542077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.921{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103737B756A9601CBA3F2706C4F4F5DE,SHA256=DE698A5C22057B193C6A0D1E5E55F19B73491E980FE3BAB3794D9B2CAF074746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:02.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C310B1FDB52A8F52A8D1EAF372A1654C,SHA256=AFAF8EF1E76D006DC4FDA3B0F0324C5F0575442674145DEC602CCB690099C578,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001542076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.874{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2D2E-6154-3C03-00000000FE01}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.874{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.874{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.874{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.874{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.874{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2D2E-6154-3C03-00000000FE01}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001542070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.874{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2D2E-6154-3C03-00000000FE01}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001542069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.875{5EBD8912-2D2E-6154-3C03-00000000FE01}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001542068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.515{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6BC4C3560B727021065BEF647363F11,SHA256=9A9732A706CED033BA087D441FCB4084BF1CEFCF00BE10618AD295715702A570,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001542067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.452{5EBD8912-2D2E-6154-3B03-00000000FE01}5056864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.202{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2D2E-6154-3B03-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.202{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.202{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.202{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.202{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.202{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2D2E-6154-3B03-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001542060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.202{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2D2E-6154-3B03-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001542059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:02.204{5EBD8912-2D2E-6154-3B03-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001447168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:02.550{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B31E70884B05135A96865A0BE82EB82,SHA256=6FCD70A6C4FA9D12AACEF9AB4641AA8B1367A8DCE04DD3768D6230F00FCE0979,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:00.084{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:03.644{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F43B0AA4C648B7898FA48DF9F909A3DA,SHA256=2F10FBBE3B122E401BE4F5A7DD3B7B8FCE433441809DA571C6AD2F006CB05A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:03.597{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE684D7012C80AD6E9F8912EBD57F7A,SHA256=D09C104A655281FCC4C9B9147C5407AEF69826ACED0B423AB9468F09E8233966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:03.906{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=210B031B9C2B4C324972C1FE63D44BBB,SHA256=B87F499D724953D05DA52727C1BBC516F74137C5109F7B376A2978C23CC05954,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:08:59.568{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001542078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:03.109{5EBD8912-2D2E-6154-3C03-00000000FE01}26805372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001447175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:04.722{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69BC78571B1F19C489D027F8E5953007,SHA256=E5197344CDC6ECB647162B7DD10195C870AE99C4A6A2070F438F40B2D63F9A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:04.597{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E844D1202E7A060D07C45BDDAAAE1D,SHA256=5EAFD4A85AE2B031EC61F92F8B14E3D4F72ED73CA79FA768586E4AE6C3385AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001542089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.624{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2D30-6154-3D03-00000000FE01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.624{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.624{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.624{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.624{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001542084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.624{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2D30-6154-3D03-00000000FE01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001542083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.624{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2D30-6154-3D03-00000000FE01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001542082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.625{5EBD8912-2D30-6154-3D03-00000000FE01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001542081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:04.031{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFB8CD8A3AFD3AF3766F798E9E0A152,SHA256=2082B928BE73533937251A5E0825CF96F19292BA6869A12537205D334D2A4623,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:02.256{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27928-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:01.162{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:05.925{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66F9162D2159C710C266D7D1084A370C,SHA256=59ACCF5792B9BC98DE19230BA5CDAC3CBADDBE854F5FC72973D726A039E06C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:05.613{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AF0D0C219BACD097C888E85025C147,SHA256=0E323C9CBEA4F2CA80F1A5EBEE5819D0A3DBDC26E3DAB1AFF0000DE24AE3BB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:05.629{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=209355117B555D67EE4DF36447D77F01,SHA256=66F7A20EC95474B3164B3C7BC7570911A0998AC494FE3893A66658C70BC82ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:05.031{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DECD66B8D7003AF1B219298531B508A,SHA256=16521DA162D74297076FF58C1D4B0C417222A01781946753AB4065BC654EAC82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:03.334{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:02.892{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50812-false10.0.1.12-8000- 23542300x80000000000000001447180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:06.629{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C1F010954A08038DE04195679E3086,SHA256=56C332B6FF07A3FADC69CCB3526486F3BF4F965D8119C0F8C739A291333764D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:06.035{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2A6CCC230D06FAF90516F935252655,SHA256=D5B78482C0307485C72F4D6A38DBBAB144D9F26894FD60E33FAAEC28AD265CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:07.691{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18ED7AED8B444B76A0B8675C76F4EDDA,SHA256=606AF0471167AE9E854CB7F1D5BE60B5F7A991FC1C9B9C2710BC9B3716C7D33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:07.051{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03D6A85AA6BD1D378AD997D1D1937FF,SHA256=4EA9557D45DD952974DCA043451C555D31E93690FD9424029762EA7A0286D03F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:05.615{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46449-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:04.482{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40029-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:07.113{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C35EA806419C4527B7E7316BFA7CCA7C,SHA256=EE1573BAF5BC2F25230CE1E12C7B090D20866A870E71EB91512373FE7B2AD241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:08.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31593973C1D52BE3A67796F656D09743,SHA256=0E7B408EF26884A04BCED363641349009D851AC0866105AA1B9B493CBB3F7D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:08.879{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EF74EB16E56D2CBBD3F45A854CCD20C,SHA256=19A178D4D43B215A50FACC652957AA9D66A265D01CCB0BDC60327FEBCBEE4FA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:05.354{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001542094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:08.051{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0101E8DF5E28A5D3DC94A744BC1C3ED8,SHA256=E82FC3D4AF546932F7BDBB219EBEE5D45828B2BF0941EB3C857E025F864F7509,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:06.814{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:08.238{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFA566A37FA213CA84BD14AC1EB3DEAE,SHA256=6DA3B78A8B58143C86688197E1C28BA008CA5CA58192883D81E0066844B5BCB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:09.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE2C0BE320DF869F8336CEA21C71DD8,SHA256=2AC8F9D7130EC37C318EF299B4AE76790C26FDCAD2952E7901CF1910CA97D477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:09.067{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45ECBADBCA5C9CD85E9426F582B66D5,SHA256=AEE75AC4891602428D93BC5EAEF8BD5F8F08E38DEA7B38B424CAE3209BB0E662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:09.426{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85C174EAFD5F369E2995AF1FEF46F7F4,SHA256=69E0AA09E0739BC89A220157B377A2432E9C57A56EB27553B03FEA8048BD6305,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:07.108{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13814-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001447193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:10.769{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C42FF7427EFAC45CFF5168D93D63F0F,SHA256=31135B36BDF799510D4FCF739A257FEAEB774A349D486C8443887545669A496E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:10.176{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819950002AD4830D314A515CAC10C3C0,SHA256=2B6362E36211720BB0C06DE359B56D30B3EDE1670F2C5379099317C3BAE7014D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:10.551{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C5A58C16BA52089B2791DBAADB8F019,SHA256=DEABA83E3DADE0A0637D311C82E16511665811F56F0ECC26DF2457E7D1144BCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:08.892{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50813-false10.0.1.12-8000- 354300x80000000000000001447190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:07.931{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-58938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001542100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:07.131{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13986-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:10.004{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A42C037B9805D6B469A63F04438616DB,SHA256=38B1894CEABBEE9BB442CF2233514AF59A1A605B859A04967F10761E1AB65F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:11.770{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3994459DAEABF1430FADBB34B1D89D2D,SHA256=0AA64C8CF89393298F876F541BEBFF385DA0820A745DB3BCC94AC9DA74ACA700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:11.176{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D08447E0D31A830AC9CBBF3414BA3E,SHA256=E3E4420E63814AA862A927895E122BC0CFBB30FFB7AB0440212F3186A19FC257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:11.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=849FF5E1B3F332ADDF6B0CF791379CA9,SHA256=B7F59B4410B05964CC0FE58A11FCA111169EB5F478453567B166E88DE30BB11B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:09.129{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001542103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:11.082{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=790A1C3B94DF7583B27C38FB5CEC1398,SHA256=C01830EB23381D3802F5B3D24FF1BA3BC53B008784C4A26DF36BAC4491095CEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:08.234{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18903-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001447198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:12.785{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340A8469E351A3877320ABFEC738D57F,SHA256=6AF6BB0C30651E4FDEC15EA8529C586F48115CCAB4F48DF579518A7B8CB9F865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:12.176{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D3A6F07A33267E2175104FF6DF44E5,SHA256=AEFB99DBE5C4F1EEAC0A1C32221069314278F9C9335532E639FE049D29F1E98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:12.176{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9AD59C78703A65265D9B92F3F6129E,SHA256=A2F38176E0DE8DD58FB18C4D8BC49F82B7FD10CF7983A4B4F99D5B1896272072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:12.754{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=952049AC610E4020C255CACB1A06E248,SHA256=C08ED0DFF6670FE8E6D566F792DC0826E4820736A12FC631536DEE17EBEA5B14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:09.344{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001447202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:13.910{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28A99680BDC578E7B2F4888DA225AF81,SHA256=F0F075A361BD72529A1BE3A24704BA8D9D679BE025A5B11115B5F26627928EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:13.816{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FA51544B385C7E6B06531EBABC751C,SHA256=DDD2C956ABD6ED9EC82E94B3A9BEF55404B932BFC0894D71C6EBE7D5087E847E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:13.301{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=835FA6D3CF99BF638296B31537DB8476,SHA256=4E4DDDFB2A272ADDA406F94F633809B98C18C4321DF7C84F345987AAB2CB5206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:13.207{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92469BAC0D5A5D6C9172D46924315F7,SHA256=F937454EB1C2CF803C94BF2C599F035C1F06C4D5C60C5C172498369437955624,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:11.365{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19136-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:10.254{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-12888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:14.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F8D7FD5CB831ABA040C802BB8BD697,SHA256=398F96C913B2A261A9D541951FDAE111C8ECA4AFB4E2AFF5278587CC84D1E30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:14.926{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9AAFAED3EAD522C669AB508B9518F883,SHA256=435429DFC2FA7A6C91037AA8C726132F54DCD8BE7CCE07DF125D7244136C1067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:14.817{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF0B805E4A5FD91BD4227BB6B31949A,SHA256=5F81F0DF2F494764203E7FE7BDBB410358B164A293BB871D8261017203E7DAD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:14.567{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA1A7CE425587E726E126DFD70D8FE69,SHA256=C2E9872E1B732CDAAFC74C2E6EAF17EC1E70A9C44430D6CB0F1BF52177F4F4C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:11.545{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33216-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:10.495{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001542111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:10.444{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28306-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:14.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC097EA48D7415CD7AC54CBEF327D5B,SHA256=FE28F632923409C741B3546A0DDB38DD30D2EA25E4006E1570447F65A17F0777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:15.848{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BD2C0544D50E18A42151625871A48C,SHA256=E4AB233A5CB3083367FD44E14DA5991144EC4BB264B64863A1EEDD6ABEAD6E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:15.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C10DEF5B89BC9956740DF00C63D0108B,SHA256=5ABD7A172763A6A013695751B530DF80D2234AA1710DF8BAD2F60195455D91CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:15.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34130A917E74CAB35F785E3B8F1E5893,SHA256=EA12B4B3B97D4EA6EEA9D3026773388F8E2576114B876160ABCEAE1F1996F859,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:13.599{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-31492-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:12.458{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:16.926{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6B6954803AEFBC82C549CCE14B9DB9,SHA256=D8F65049CA76F473FE44EB568B2B4EB3F82A7D45F7C34DFC50CE0E4F5BD9D9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:16.864{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=412DF82A66789B5A63E6FE5E69F49829,SHA256=AA21E0E9A581C362048F533AA40FFA09C13757234104847FD991AE61EC0B237C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:13.908{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:12.669{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:16.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACD387C6968E6148B6CF7146265D4B7,SHA256=C05C31C9C7DCE2262852C895008B132C4BCC86F967EA40018B659C36B2EADEA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:14.876{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50814-false10.0.1.12-8000- 354300x80000000000000001447211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:14.678{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-37525-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:16.238{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:16.067{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE41575D1AD05AFCBD2EADF45FDD5D57,SHA256=84BD4D39AF7162330E535D2E9185F00308E010A988735AE03A98661401F4CB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:17.942{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D895A828191951370FD6138FB4B15A99,SHA256=D0FE51909B697E6A9A3DD8C925797170EDF95428B6ABFBFBAF65029C3A9A134B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:17.942{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACACF5795C07968E532B8554B5FF4D12,SHA256=2FFF9A53669839E531C3D0B50C2C77CE31395FE6F753C264332933B29DCACCEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:15.089{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-48614-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:17.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD364F00D3BD373B62BF5BFA0D3112E8,SHA256=0BB6B9861E4060D554E995FC52F0BE44BF1905FA761F10DC38B789B3826D47CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:15.891{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50815-false10.0.1.12-8089- 354300x80000000000000001447215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:15.771{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:17.207{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=967E27DC3749A8660ECED8385FC2A281,SHA256=14BC2B05454C1B4325B4C9F26D54ECD8254C775395246ADD40936C799FCD6C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:18.973{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DE7F94BC72D601A35FAF95CBA31EEF,SHA256=13AB21AC0CAAAB7EB928F9C4495A778AEC5F22DC07D4154B54F7C0842BC6C72F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:16.899{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-49674-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:18.285{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FCB4CC5101FB4BC9EE29009612CEA1E,SHA256=C57A73755169496650B6F0D80BE89376BDF322113D5A4ADFDC29AD2B83DD01DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:18.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103682350F3486C7B93028B80714F720,SHA256=5A2D9266A7198AB2EB4E3D6FCDEC36F31C4F08ED59A6403BB5517E20714BE1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:19.989{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFDA095563E8889254A5D15BB93AE31,SHA256=EE9935AC7698956DD81D14BC26DFD311E537FC24F62675F07B62117D4D8A5DA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:17.280{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-58756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:16.480{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001542127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:16.203{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-53880-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:19.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBEE4DAB467164F920EA2E50CC4C02D,SHA256=0F69766037D2C03FFDE6B04AFDC5EF661AAEA38C567B4C2A251A9ADA0D34DF7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:17.974{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-55719-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:19.364{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028EC4E8A511FAA0D2DD5F18609AA630,SHA256=6E01A1CADD29830B6FC3872577CB2468CD5C13E985EDBFA0B0B415219881AEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:19.020{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48418857AD646A9A60128E597094FACD,SHA256=6B55A25FC7932F68CC9945B29A71CEA3E9EBECA201AD4F4205DF5779CAB3FC28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:18.360{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4481-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:20.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0220E3475B316BB60B99AA319F8D0103,SHA256=24B2F35CBEE19DF07FD264CB71DE2D0FDA3A99F9390812505F3942621D21B3FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:19.067{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2691-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:20.489{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43411FAB82DABD321B7FB1E89A31EC67,SHA256=763C76E98869372DC5A24551CDE304285FF28596E7622F98372B5C69A718928E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:20.098{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43A8F303F2FB20E375508AA3938AD12C,SHA256=D32AEEB4A86B92670AC14D2AFE5A9241DC978C6276043569D5908D15ED5CE3E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:21.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357E8E417A4678485702E1C81D276B39,SHA256=E7160D7D776A1AE6A9E3A0FFA69709C20BDD107E04BFA1FA8F995D41468BABD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:20.192{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-9143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:21.614{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFB27C33AAF5C495164EAAACD2D966A7,SHA256=18001982ABB82C8DB514FFC57DD596401FFAAE9B638772B58A6D349C3F112BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:21.004{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF11DAA214585BF0B2EE60755793BDB,SHA256=31D78060E2A34B0E6948FCAC0F509B5047D45D31FCF35FE9E98E3B8EBE1EF0C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:21.223{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C50D27EC3F5D2975252ED7DF377A70B,SHA256=FF783D0A68EF405202C4C3DA55EA8580073B5117F9509257EB075504FBE2C9FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:19.453{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:22.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6533EFFD448B64E1FFDAD74CD3112C67,SHA256=F2AF4D75737A0E736E45F0611F63B2DBD67CE5EEB76E85BFF4931D84AADE34CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:21.302{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001447231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:20.860{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50816-false10.0.1.12-8000- 23542300x80000000000000001447230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:22.692{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE631110F4BA5594FD244D44E8C25319,SHA256=2B93E9F37354423E6A71517640BFF1B1A009E811F7561531488BE243FA4DB771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:22.020{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B622EBF3A3D9E398525F8607FEF2C31,SHA256=83B5FE41B208CF347B513D9DB84EDFF987BDC8709E628C1536E714D68B1B1728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:22.301{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F17978997ADC3F549D042676A813796F,SHA256=15C2A75AF698ED185CC7C8D0FA14612B295962D23132D64BCFA06B188FAE5E27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:20.562{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:23.473{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3203CE7B740571DC3E8245B18002FDA,SHA256=AA4B7C66FBA4BE6990D46A65DBC239215DF04CD975809533CEE158C4FFD9E9AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:23.380{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6595291EC85C454C749AB641234E97CB,SHA256=4D3119EE0720D09749D69C8F1A048C25731FFBE0FD3F79A37F7469A5C26AE13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:23.817{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5CAFA57558A133F777F1D513D670E5E,SHA256=97CA5ED65616596C248390D930D85DDC0825D0437C7947F273B79581035F1454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:23.036{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906D7909573BFEFF608A8AE2A199828C,SHA256=316BE353A0EABF3CCA70ED3541D5D2BBEC709215B3E80C36492C8CEA7DD59FEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:21.645{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18844-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:24.582{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5900053FCA9E486A3DF37C64F2CDBC42,SHA256=54C28A811005545D9CD36D593D3501C3B3DF749C7516C76E2CB2794DC92DB4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:24.395{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08816F69B09B414D971A62FB5C87B25,SHA256=380F3014A9C0A13B566590909B7111CF52C271FD300DEEF696719EE33A06733C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:24.895{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76C112D35411EBCFDBA9373F330797D7,SHA256=E7DFC9D8D3459D41FDBE5809C4A7E4E3CAD19BF767BCEA3AC8363D76FFAEAB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:24.114{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF679B59311BCFA9D9EFA16D340B61BC,SHA256=7F6A2C6B4D283648A5423E2013D8CC1849ACA17182F99DFDECD917B495D722E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:22.395{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21420-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001542147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:22.812{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23763-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:22.433{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001542145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:25.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F55A44F59AC113A07E8131CECE47B74,SHA256=5C0FBA4A59B6B7D4AA3C9DDE5B511EF894990CEBF7F9CD15C2BF04EC17A172E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:25.395{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5434E08BE319B546832073F3AF4D63,SHA256=7699FDFB03609E0B59543D93BE67C501867ED39998C9D5797C208D299D26B4EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:25.161{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1720A540823803F9CB15B1B922F7136A,SHA256=45962A3FA0129BCC436A153C48702E6DD926A4FB700413296E4489B5F805F07F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:26.192{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6288989785156A2A8CEE0EF234542A8,SHA256=8D72DDF7B3FAF6576DFF453EF249C4AD28F1C23D82D9045218C60198B00D0936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:26.739{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA0712E8BBEC64B4F7EF3D333E9EEC71,SHA256=06B87D00B815A83F6FFC200F1FE10C1B14B5515F1FD6A3DAC5160D001AAB00AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:23.923{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28716-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:26.473{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0949DD3EA5D849A5BC79FEA98CE516,SHA256=B929D3CF2D97FA4678D9EA5409E30E00602B6E359913FC42C707F4DBE4AE7EAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:23.505{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27716-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001447255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.712{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-085MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D47-6154-FF02-00000000FE01}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2D47-6154-FF02-00000000FE01}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.429{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D47-6154-FF02-00000000FE01}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.430{69CF5F33-2D47-6154-FF02-00000000FE01}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001447241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:27.210{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BCB3E56DB1F5F91DCCD945747FC4F50,SHA256=F033625861C2F7C5F265A589533A8D93BF79754E5E31E42DAD346DCDED468374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:27.895{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25885E1B1A9E84B012AC29AB01F18F78,SHA256=C4EE10FDDB592446D4D390E04171AD64683E41C3888FB001BFFE0C9392FBCAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:27.504{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A278269CDD71E3518DCE3CCD68FFB6E5,SHA256=71F40E1348781BE27908C950EB1C34114AB6DEA8D8413F6E5833D8C0395FF634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:28.973{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C21321C471E1AC8C7CCF6B15D1927090,SHA256=48A71358F5186DA814E547EC5768AC48F2AFE3AD9E48D489B9695A1475AAD3C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:26.090{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37967-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:25.000{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33265-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:28.504{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C40C4C5A8745B92C1D3FB8E8C0C49C,SHA256=A3FC0CCD51F636D06C1F569E4DE94DA66C1A460690707F63A02C2C66F1CCA8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.727{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0344AD9890796DB8C7FAE4093331FF9B,SHA256=7FBCE05C7AD680E6FB216D6DE7E931D0B08C3C4B6D2B62D02A1111C868688C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.726{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0756BF8913AE3FE72159B3B839625DC7,SHA256=03B9DD2D5059A2851473381E4A5E5D39012DB367B7DF826E582DD1838738E2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.724{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-086MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.348{69CF5F33-2D48-6154-0003-00000000FE01}32563304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D48-6154-0003-00000000FE01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2D48-6154-0003-00000000FE01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.160{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D48-6154-0003-00000000FE01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:28.161{69CF5F33-2D48-6154-0003-00000000FE01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001542157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:29.582{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC6186E586345BEA879311C90AB7304,SHA256=37EF9664E906FD7FFAC61B651498200EF3E3E555903284506928323E2A311488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D49-6154-0103-00000000FE01}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2D49-6154-0103-00000000FE01}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D49-6154-0103-00000000FE01}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.630{69CF5F33-2D49-6154-0103-00000000FE01}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001447274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:29.364{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003532EB0EC1F987735982551254B232,SHA256=16CCE401DA2F474CFBCB29F897EA15ED4367E6BB2F8BC69103F3460074A349A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:26.751{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50817-false10.0.1.12-8000- 354300x80000000000000001542162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:28.312{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-47688-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:27.542{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001542160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:27.234{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-42949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:30.676{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE4E8624F28EFFE8D76A5A3AD532690,SHA256=B00D5BD53BD5E3E6A50CF5F9BA3656A2DC07C85C7AEEDE16E846B485761954D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:30.708{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CE53DB1D47D211E295CD5C88E5A57E1,SHA256=1C01AD156A7664C3E70CD95E7167431ED6069590E9F33F2219D39AD9BBB02351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:30.380{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB04A4FD8085946B90B32B06E1D5FC1,SHA256=8E49BD4AC5AF119F71452DFEC27CB22E610FA58DB73337AB3A3C7CF17F4A7AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:30.082{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28D6A6A2F8E7B4869B3F204A6E0774C1,SHA256=96573C066047C48354BA2CF32E9495214BFBF8F9BE9E8113F528DBE2AFA90C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:31.708{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93417BDE7C82A7532097FF77892B0A99,SHA256=1D9A33AB7E47411142097AC445D969B4709310A518EB878A0F7F0082681F4411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:31.411{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1A05EB296762C8ADCD4D1A13726FA3,SHA256=20BF59E9444071F2B028CD172E580942B95DCF8ABB6B58F5AFD3595E06DFABDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:31.223{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D65B850F4E7E3EFCF66C36CE13FE510,SHA256=B5A0E41C4FC2A6295E2072C595BFE7D74745F531F2F51A40775EDEF7F5272EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:32.723{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524BA7D2027F8DDD3EA95ACBA2A490BA,SHA256=547173C87C07635A460DD41B0504518D8A7E1A64057F4D0EDFF37B56E8099D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:32.443{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E15D640F7EF6F8D40B034DA2FB3A88,SHA256=1AC0E482D9C68506EAE531A9F7F91A92D9D47CD042F524478262338FC6AE50B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:32.301{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECF37C5F4E310CEA129196E808B5956C,SHA256=7E3A35BBD4D808F0E04BB7A0CCC3F1DC41BF6B67DEFE074CB49503643A7950D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:33.458{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD65C803398BD459F1FF46B4D3D721DE,SHA256=A6562C8BBD2AF96293DDB85C8C683D3DF037747F6BDF5FEEE53F9CD07B0276EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:33.817{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EBA19469A0D17E9274D93060B876DB4C,SHA256=EAB0792C44FA11D52F4B62E6B49B0149263F28FA89D5C997FA4E9DC844C96A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:33.723{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE40834A0B20378D1A747AF8764A0A19,SHA256=409B785AF63962B1576D0841AD31AA52391253ED241E7E82C7669381F6E95CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:33.426{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF40AB637377CC3089A1E0A9A862CF2,SHA256=6D6241649ADB45ABB26B829FAFD4D7111CC8F6DC70E6111ED4AE3A705F9A1B1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:30.563{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:29.424{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:34.723{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50BAEDE3C819ACD54C206AB0C7E2F92,SHA256=FBC7DCD10B0C57DDBA8218B06A323CEA75F5239FF8EF6D4B40E4D68F61823AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:34.474{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B6DF75B92B9CB948A5665BAE5FA417,SHA256=A227CDA102DF9866403D417AD794035ACF4250C45B6B08DB4781BF55B93AA95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:32.704{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50818-false10.0.1.12-8000- 23542300x80000000000000001542173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:34.504{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A448E6B42E6B996778A6EF278DB1FE83,SHA256=0793B0FB1404358BFD7D44ECB7B62F72C5A4A958DC50F28124EFFDC4FC41AAB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:31.653{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:35.723{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB9CBBD01F71B741AF35E8103E96A73,SHA256=7D08A5D7157A4740CAABF180B76109ADD30E425FBF26282ECBD9848C5F69DB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:35.489{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9BDD5B60E5B252609F5E96E6F21BEE,SHA256=4A438D66DDFE700E6B6AAA06F16A99EBDDEC9901D270BD251344DD5F35A508B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:35.583{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3C32AB284945B7AC991DB17083AB86B,SHA256=5A5BC17C459742CD73C88871F4C4BBEDD07BA29692C61EA4ADAF097892D9AD80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:32.268{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:36.754{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC53F41378A8D8415CC10A5178132C0,SHA256=12EAB54D0988CD823B85175903E64FCD64D58522F73DFF7C05E6EA41BBFE9C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:36.521{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFAAB17C7F0935666156EFD01FE7D5F,SHA256=B3AC00A44547337DE1183940C92A9BD29B5D983C6EAB901AA7FFF1AF485C9CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:36.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=568BE9817CC5FF6A0DEE4B8212FFE6B5,SHA256=B9A54F8AB352F73D84F55BD8A3B76D3FBBBF3E87E0BA3DD9F4B0D92D9D36102A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:33.464{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001542180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:33.390{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-14255-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:32.765{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7958-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:32.292{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8895-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:37.989{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D8B08EAECC994C0C69F55760D806B3,SHA256=86D1365178F36CB54CDAB5F0DFDA5EEA470EC887EEB5369929497D0BF2F87DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:37.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E851C0590A99019C9B1F2EFD465030D1,SHA256=BB19B0A9C38E0668BA37DA0280AD35276EF9BC652F2B0579F2F73A77A320EA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:37.786{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444C9A3EF0AAC330B571C28AC42E8E8B,SHA256=4FE1524261F54C2630B1C39FAC07E9B53B558E281B9495D0A748355B5C03D4AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:34.922{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17227-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:34.514{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-19721-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:33.844{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12619-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001447298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:38.568{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52836C3899B0A3EDB693A93757E3FB80,SHA256=A6EBEF825F8D7BE5208F887C09DED45C82ACB50D9CA1123110B508A48EC80130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:38.911{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C90E244BC2FBD313A54D84D6AB833BAB,SHA256=076228FE9736DA9DAE642E16065626F85AD8BBD8CE15F82A4A5DD5FB3823B8F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:35.625{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-25138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001447300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:39.583{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA14F8714C25D04903D24EFED961D0C,SHA256=5196A9995ED06EA6F6EE7AD83736AEEFAE76B478C4DA8D40ED97577C9B8CCB0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:39.989{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C30B49DBB2FE147865F7144E62440F9,SHA256=4482E222C7A14F93B784421FF31A8BA9DA004B089F79DECF1BF1ECB5ED167C91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:36.702{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-30331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:36.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22135-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:39.004{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42EEA8638D1B922C70041E0069369BF,SHA256=F336E55B56BBB77DB04868D1D2AC387D444795C47C746A1F7CDE9BE36670C34A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001447299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:37.704{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50819-false10.0.1.12-8000- 23542300x80000000000000001447301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:40.599{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F172E49582B3ECB2158088F688002C80,SHA256=7BB30E7C49E6EF24DB4FF783A3E891ABB8D65DA8D5B01F9CD354E96A3C8A1D15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:38.250{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:37.796{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-35667-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:37.139{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26946-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:40.005{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A526C123501FE4CD60C8CB170C84DF,SHA256=9C8882361B9CD7DEADCD91B8A0FD68C0C533B917210B839E4859889F4263F82C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:41.630{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E52BB13F31CE5A3EA676FFCEDAC130,SHA256=325064A88C6AA22089C7B47D67C175DB67D9D40C0C10906ADA0752C144F8EDC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:38.542{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001542200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:41.067{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F0E291C5B18743548C62674236ADBFA,SHA256=3727F898F8F29EC358CC74CCAC35D4C8AB2ED769C6BE9ABA4178C11D813302FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:41.036{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69E74A60618EE66A77CD501E375D1EB,SHA256=9A8F9B35BC5ABE4FEB147400DE30BD38AE03B336E13BEA9629F028A49EDFC78A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D56-6154-0203-00000000FE01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2D56-6154-0203-00000000FE01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D56-6154-0203-00000000FE01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.787{69CF5F33-2D56-6154-0203-00000000FE01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001447303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.662{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5575DC829744801B7D81E3285B23284C,SHA256=116B97C0894BD499923494248A7A18FD03DAF3F19F36E3F31106CC10E6ED4CC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:40.031{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:39.329{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36627-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:38.918{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40939-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:42.130{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B8FD261FC21E7527D692D9E58EBE215,SHA256=0BB74801006CD32FDDAC787A539C74FA31877FFDFF3D82BDB451727B86574A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:42.051{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D779A2335A91EE1E72DF6D93EC44F640,SHA256=D01F264271EB63D65F0434A36A9F7A482BEB8C7135A9D0E30A57BEA149EB2BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D57-6154-0403-00000000FE01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2D57-6154-0403-00000000FE01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.959{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D57-6154-0403-00000000FE01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.960{69CF5F33-2D57-6154-0403-00000000FE01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001447331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.695{69CF5F33-2D57-6154-0303-00000000FE01}23803040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001542210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:43.223{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C3EFAC8563BB2138E8770F3A6A97CBC,SHA256=90D237F502A0FEE06ECE0CCE97878DEE98604F5D5BB6C72D6D3902319F103649,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:41.140{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51497-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:40.406{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-41207-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:43.114{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D40F9E9B06871F85A5DFAEED171F19F,SHA256=44FDDDE078EF73B8FDEE9B633BD139323205A888CAFC3A1926D0870D26961A1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001447330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D57-6154-0303-00000000FE01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2D57-6154-0303-00000000FE01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D57-6154-0303-00000000FE01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.459{69CF5F33-2D57-6154-0303-00000000FE01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001447317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:43.084{69CF5F33-2D56-6154-0203-00000000FE01}33762252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001447362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:42.907{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50820-false10.0.1.12-8000- 10341000x80000000000000001447361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2D58-6154-0503-00000000FE01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001447351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2D58-6154-0503-00000000FE01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001447350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2D58-6154-0503-00000000FE01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001447349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.631{69CF5F33-2D58-6154-0503-00000000FE01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001447348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.193{69CF5F33-2D57-6154-0403-00000000FE01}3648504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001447347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.088{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB8E8EE6F20139883062A0BC1804DB3E,SHA256=2B9A2AD24F40AA713CE3E36FEEE07C6705DAB4AE47D42CC537A06258B087783C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.088{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C194A9935BC2604DE052FF53AC81B79,SHA256=C52CD66FD9297376AAB630A49A7E5EC2CFBDB3E4E9FC32903AF02818E525DF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:44.088{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7B514D3BC4E1D36F8850315AFB49BD8,SHA256=62EF9F1F7430B1D91D2968897292B726029E7DFF6136AD15128CC43F224335A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:44.301{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15A9FD91C3BB8E7CA033B6FEC85FB170,SHA256=91FF18F0B7E06EA05587205344EE74667B40D5F3F7FFCDB93C26906C78551964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:44.114{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBD3D0C33BA8732E7BEB40995D64D36,SHA256=5FC8DCFF253A20054A3A75D8A52A2FBFE1EBE7C6A1A009B79BEB89729E2F843A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:45.411{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8862E63D156E115A3D2F65D8E645C696,SHA256=9DD47CE9BCAEC264B5FE4D538B68C03C2FD3723DE6B2AB206FFBCDC49A537F87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:43.309{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3088-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:42.563{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:42.219{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:41.484{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:45.114{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F59B8DFACF80BDA74CF6F30568161FE,SHA256=55C38DEF9B981A8E1543AE2581844ACA864762FE0F92AD4E00A7C3436C2F3B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:45.224{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A80089D52F08ECDBB38CD587F9F747F,SHA256=9968EC28423D1E9748B3DD708BEBADF2A9871F430FFA9F14A5E0FDA794223ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:45.224{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB8E8EE6F20139883062A0BC1804DB3E,SHA256=2B9A2AD24F40AA713CE3E36FEEE07C6705DAB4AE47D42CC537A06258B087783C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:46.506{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8F5BCD318A3E126ACBAC77973574F6A,SHA256=CD8A839C59777A87230A57CA760B5529981A855F22A96294D9D115062DF04479,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:44.418{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8326-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:44.387{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001542221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:43.656{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:46.131{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:46.116{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689BAEA08893C5D49B28E34E20EDE4EA,SHA256=CBAA0491101ED59E1981DF7D4A5CFD4FCCBB29CD79677D4DB356C28AF630A452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:46.224{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF4799290B91CDC42F556BF0311A1A3,SHA256=EFA44D238249DFAC5566F473A5CD050630B3EA67EDD0F885234346C56538984A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:47.240{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A855052FEB85F542FD47372C704286C1,SHA256=D43FE3C98FBFCAD8255FBA199C1605753172146C38CCBD0B917F5CA94CC02850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:47.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=364B314B9AE9785AA7EE08DB5CB1263B,SHA256=838EE6F3A4B970C1407BD08AD976F53602AA63FAB00A0813382258C5BD5BBDA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:45.435{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001542226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:44.766{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1279-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:47.288{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4989F6AEF4474EF80D5C9282A3C439BF,SHA256=679516A13A3D22A37E45978919837A101B3A3371750DBD465CD9DD060E2798E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:48.709{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F117CACF0D03697B22B94C86504BDE7,SHA256=39EB4BBDC47C0776AF9DD79528833C15B1CDD4ECA1967CE6F1BF81DB932D5036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:48.366{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56127C7E35C0E6C813DDD2C23359E9E6,SHA256=5D3A1984C51288AF6AA52689F080F33C8A89E00FA9BE76C21658E8164A1C515D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:48.271{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A86A2DD46586F498B4D039C8271DDE,SHA256=4CB433E8029859631214CAC64620391ED8ABCC84F5EA20CE26DB8D2DE332E557,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:45.860{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-5922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:45.518{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-13608-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001542236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:49.819{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B538834E6451C77F861B69B7AB109942,SHA256=44F5B38B10B5750C9BD1754C1925C4CA7CAA425833AF775CD3EF087182A7DBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001542235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:49.381{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E920F8C1F7907EDCFDABB56DF3B37970,SHA256=4BEAAA7E9E79D7F28D6AF49CADCC8F9ECC4448960204B57E657E9F986C884C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001447368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:09:49.303{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442EBB101DE5998E5C8EBAB374C7FA7A,SHA256=3660F9B46A543CB93EF3FF61335A4A3FDF67721A3B6020457F340E58EAE8DC3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001542234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:46.971{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:46.603{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-18669-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:48.063{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15456-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001542237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:09:47.702{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-23974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server